TCP/IP Solution  «Prev  Next»
Lesson 2Protect IP traffic with filters
ObjectiveReduce unauthorized access to network resources using filters.

Protect IP traffic with filters

Minimizing the protocols and ports exposed on a host using a firewall can reduce the risk of unauthorized access. However, this may be difficult to manage, particularly if many hosts have different filtering requirements, which is why Windows 2000 implementation of TCP/IP supports application layer filtering of IP traffic by allowing you to set filters on a host-by-host basis. Filtering allows you to configure precisely what type of traffic you want to allow through the interface that has filtering enabled. By default, filtering is not enabled on any of the network interface cards. Without filtering, all IP traffic is allowed to cross the interface without being examined by any type of filtering mechanism, and is passed through. When you enable IP filtering, no IP traffic is passed through the interface for which the filtering is enabled. You must then configure filters dedicated to allowing the particular IP traffic you want to pass through the network interface card.
  • TCP/IP Filters: TCP/IP filtering blocks the delivery of any IP packets that do not conform to the preset criteria. You can use TCP/IP filtering for dedicated servers that provide services on well-known protocols, TCP ports, and User Datagram Protocol (UDP) ports.
    The following table describes when to include TCP/IP filtering in your network design, and the criteria for filtering IP packets.
    Include TCP/IP filtering in your network design to: Control traffic to dedicated servers. You can filter IP packets based on the following criteria: TCP port number
    Block all inbound traffic except that which you specifically list. UDP port number
    Provide filtering at the application layer. IP protocol type (except for TCP, UDP, ICMP, IGMP or IPSec).

    For most situations, you permit the acceptance of all IP traffic. Evaluate the effect of any enabled TCP/IP filters to ensure proper computer operation. It is not recommended to enable filtering because it may restrict the operation of essential services.

DHCP Theory

Elements of IPSec for security

The primary goal of IPSec is to provide protection for IP packets. IPSec is based on an end-to-end security model, which means that the only hosts that must know about the IPSec protection are the sender and the receiver. Any intermediary network devices, such as routers, hubs, or switches, do not need to be aware of IPSec nor be IPSec enabled. Each computer handles security at its own end under the assumption that the medium over which the communication takes place is not secure.
The table below illustrates a partial list of the most common network attacks:
Attack description Attack Name Counter
A sniffer is an application or device that can monitor and read network packets. If the packets are not encrypted, a sniffer provides a full view of the data inside the packet. Microsoft Network Monitor is an example of a network sniffer. Sniffing IPSec defeats sniffer attacks by encrypting the data, thus making it appear as garbage to the network sniffer.
The attacker could modify a message in transit and send counterfeit data, which could prevent the receiver from getting the correct information or could allow the attacker to get secure information. Data modification IPSec prevents data from being modified in transit by creating a cryptographic checksum at the time it is sent. If the data is modified during transit, the checksum becomes invalid and IPSec discards the packet.
An attacker could use a stolen password or key, or attempt to break the password if it is a simple password. Passwords IPSec users sophisticated encryption algorithms that make it virtually impossible to obtain a key that would be able to decrypt a message.
An attacker can use special programs to construct IP packets that appear to originate from valid addresses inside the trusted network. Address spoofing IPSec protects against spoofing by using digital signatures on messages, via a process of non-repudiation.
This attack targets application servers by exploiting weaknesses in the server operating system and applications. Application layer IPSec does not protect against application layer attacks because the programs is with the network application. However, application layer attacks can be minimized by allowing only authorized, authenticated users access to servers running such applications.
In this attack, someone between the two communicating computers actively monitors, captures, and controls the data transparently. (For example, the attacker may reroute a data exchange) Man-in-the-middle IPSec protects from these attacks via non-repudiation and digital signatures that are added to IPSec packets.
The goal of this attack is to prevent normal use of computers or network resources. For example, an attacker using this sort of attack might flood e-mail accounts with unsolicited messages. Denial-of-service IPSec does not protect against denial-of-service attacks. However, you can minimize denial-of-service attacks by allowing only trusted, authenticated users to access your important servers.
IPSec features
The following features of IPSec address all of these methods of attack:
  1. Encapsulating Security Payload (ESP) protocol: ESP provides data privacy by encrypting the IP packets.
  2. Cryptography-based keys: Encrypted keys, which are shared by the communicating systems, create a digital checksum for each IP packet. Any modifications to the packet will alter the checksum, showing the receiver that the packet has been changed in transit. Different keys are used for each segment of the overall protection scheme, and new keys can be generated as often as IPSec policy dictates. This explains why you cannot use IPSec across a NAT. When the NAT changes the source IP address on the request, the IPSec algorithms interprets it as altered and discards the packet as invalid.
  3. Automatic key management: Long key lengths and dynamic re-keying during on-going communications help protect against attacks. IPSec uses the Internet Security Association and Key Management Protocol (ISAKMP) to dynamically exchange and manage cryptography-based keys between communicating computers.
  4. Automatic security negotiation: IPSec uses ISAKMP to dynamically negotiate a mutual set of security requirements between communicating computers. The computers do not need identical policies; a computer only needs a policy configured with enough negotiation options to establish a common set of requirements with another computer.
  5. Network-layer security: IPSec exists at the network layer, providing automatic security for all applications. Because IPSec uses layer 3 security protocol, applications do not need to be "aware" of IPSec and do not have to be configured to use IPSec. This is in contrast with higher-level protocols such as SSL, where applications must be written specifically to support SSL.
  6. Mutual authentication: IPSec allows the exchange and verification of identities while preventing an attacker from obtaining this information. Mutual verification (authentication) is used to establish trust between the communicating systems. Only trusted systems can exchange meaningful information. Users do not have to be in the same domain to communicate with IPSec protection. They can each be in any trusted domain in the enterprise. Communication is encrypted, making it difficult to identify and interpret the information.
  7. IP packet filtering: This filtering process enables, allows, or blocks communications as necessary by specifying address ranges, protocols, or even specific protocol ports.

The following series of images describes a number of TCP ports and how they filter traffic.
1) TCP Port 80 is the HTTP server port. If you want to create a connection to a Web server, the request is made to the socket represented by the destination Web server's IP address and port 80 at that IP address.
1) TCP Port 80 is the HTTP server port. If you want to create a connection to a Web server, the request is made to the socket represented by the destination Web server's IP address and port 80 at that IP address. If you enabled filtering and wish to allow traffic to the default Web server port, create a filter for TCP Port 80


Protect IP traffic using filters on ports 21, 23, 25 and 110

Ports 21, 23, 25, and 110 are well-known ports associated with common Internet protocols. In the context of protecting IP traffic, these ports are significant because they are often targeted by attackers due to the sensitive data they handle and the fact that some of these protocols transmit data in plaintext without encryption. Understanding the functions and security implications of these ports is essential for network security and protecting IP traffic.
  1. Port 21: FTP (File Transfer Protocol):
    Function: Port 21 is used for establishing control connections for FTP, which is a protocol for transferring files between a client and a server.
    Security Concerns:
    • Plaintext Transmission: FTP transmits data, including usernames and passwords, in plaintext, making it vulnerable to interception and eavesdropping.
    • Protection Measures:
      • Use Secure Alternatives: Replace FTP with secure versions like FTPS (FTP Secure) or SFTP (SSH File Transfer Protocol), which encrypt data transmissions.
      • Firewall Rules: Configure firewalls to restrict or block traffic on port 21 unless necessary.
      • Access Control: Implement strong authentication mechanisms and limit access to trusted IP addresses.
  2. Port 23: Telnet
    Function: Port 23 is used by Telnet, a protocol that allows for remote command-line interface access to servers and network devices.
    Security Concerns:
    • Unencrypted Communication: Telnet transmits all data, including credentials, in plaintext.
    • Protection Measures:
      • Use SSH Instead: Replace Telnet with SSH (Secure Shell) on port 22, which encrypts data transmissions.
      • Disable Telnet Services: Disable Telnet services on servers and devices to prevent unauthorized access.
      • Monitor Network Traffic: Use intrusion detection systems to monitor for any unauthorized Telnet activity.
  3. Port 25: SMTP (Simple Mail Transfer Protocol):
    Function: Port 25 is the default port used for SMTP, which is responsible for sending emails between mail servers.
    Security Concerns:
    • Email Spoofing and Spamming: Open or improperly secured SMTP servers can be exploited to send spam or malicious emails.
    • Man-in-the-Middle Attacks: Without encryption, email content can be intercepted and read.
    • Protection Measures:
      • Enable Authentication: Require authentication for sending emails to prevent unauthorized use.
      • Use Encryption: Implement TLS (Transport Layer Security) to encrypt email transmissions (SMTPS on port 465 or 587).
      • Implement Spam Filters: Use spam and malware filtering solutions to detect and block malicious emails.
      • Access Control Lists: Restrict which IP addresses can connect to your SMTP server.
  4. Port 110: POP3 (Post Office Protocol Version 3)
    Function: Port 110 is used by POP3, which allows email clients to retrieve emails from a mail server.
    Security Concerns:
    • Plaintext Credentials: POP3 transmits usernames and passwords in plaintext.
    • Data Interception: Emails and credentials can be intercepted by attackers.
    • Protection Measures:
      • Use Secure Versions: Implement POP3S (POP3 Secure) over SSL/TLS on port 995 to encrypt communications.
      • Encourage Secure Client Settings: Ensure that email clients are configured to use encrypted connections.
      • Firewall Configuration: Restrict access to port 110 if not required, and enforce secure connections.

General Strategies for Protecting IP Traffic on These Ports
  1. Implement Encryption:
    • Use secure protocols that support encryption (e.g., FTPS, SFTP, SSH, SMTPS, POP3S).
    • Enable SSL/TLS to protect data in transit.
  2. Firewall and Access Control:
    • Configure firewalls to block or restrict inbound and outbound traffic on these ports unless necessary.
    • Use access control lists (ACLs) to allow only trusted IP addresses.
  3. Disable Unused Services: Turn off services that are not in use to reduce the attack surface.
  4. Regular Updates and Patch Management: Keep software and services up to date with the latest security patches.
  5. Authentication and Authorization:
    • Enforce strong authentication mechanisms.
    • Implement multi-factor authentication where possible.
  6. Monitoring and Logging:
    • Monitor network traffic for unusual activity on these ports.
    • Use intrusion detection/prevention systems (IDS/IPS) to alert on suspicious activities.
  7. User Education:
    • Educate users about the risks of using unsecured protocols.
    • Encourage the use of VPNs or secure connections when accessing network services remotely.
Why Protecting These Ports Is Important:
  • Common Targets for Attackers: Because these ports are associated with well-known services, they are often scanned and targeted by malicious actors looking for vulnerabilities.
  • Data Sensitivity: The data transmitted over these ports can include sensitive information such as credentials, personal data, and confidential communications.
  • Regulatory Compliance: Failing to secure data transmissions can lead to violations of regulations like GDPR, HIPAA, or PCI DSS, resulting in legal penalties.

Conclusion: Protecting IP traffic involving ports 21, 23, 25, and 110 is crucial due to the inherent vulnerabilities associated with the protocols that use them. By implementing secure alternatives, enforcing encryption, and adopting robust network security practices, organizations can significantly reduce the risk of data breaches and unauthorized access.

Route Filtering

Through this process, certain routes are not considered for inclusion in the local route database. Filters can be applied at the routers,
  1. (output filtering) before the routes are announced or
  2. (input filtering)as soon as a route is learned .
There are different reasons for filtering: To ensure that the use of (RFC 1918) private address space does not leak out into the global Internet, networks should block these prefixes in both their output and input filtering. When a site is multihomed, announcing non-local routes to a neighbour different from the one it was learned from amounts to advertising the willingness to serve for transit. This is undesirable, unless suitable agreements are in place. You can avoid this issue by applying output filtering on these routes.
An ISP will typically perform input filtering on routes learned from a customer to restrict them to the addresses actually assigned to that customer. Doing so makes address hijacking more difficult.
  • ISP will perform Input Filtering:
    Similarly, an ISP will perform input filtering on routes learned from other ISPs to protect its customers from address hijacking. In some cases, routers have insufficient amounts of main memory to hold the full global BGP table. By applying input filtering on prefix length (eliminating all routes for prefixes longer than a given value), on AS count, or on some combination of the two, the local route database is limited to a subset of the global table. This practice is not recommended, as it can cause sub-optimal routing or even communication failures with small networks, and frustrate the traffic-engineering efforts of one's peers. In the past, route filtering was also used to prevent IPv4 blocks that are not yet delegated by IANA, commonly called bogon address space. As IANA has depleted its available IPv4 address space, this practice is no longer needed. Some networks are now blocking IPv4 prefixes that are being held at the Regional Internet Registries (RIR) and not yet delegated to any network. As RIRs delegate resources on a daily basis, this practice requires a daily update to the route filter. Unless a network has an automated and reliable tool to check the RIR databases, it is best not to perform this level of route filtering.


The next lesson explores how to protect data with IPSec.
SEMrush Software 2 SEMrush Banner 2