Network Firewalls   «Prev  Next»

Lesson 3 Packet filters
ObjectiveUse packet filters as a first line of defense.

Packet filters (First line of Defense)

A packet filter firewall is a device that inspects each packet for pre-defined content and requires extensive knowledge of TCP/IP. Engineers usually filter packets at the external router or screening router[1], which discards certain types of activity entirely. Although it does not provide error-proof protection, packet filters and/or screening routers are normally the first line of defense for a firewall strategy.
  • Packet filters:
    Packet filters
    Packet filters
How can I use packet filters as a first line of defense in network security?
Using packet filters as a first line of defense in network security involves configuring network devices such as firewalls, routers, and switches to inspect and control the flow of data packets based on predetermined rules. Here’s a step-by-step guide to effectively using packet filters:
  1. Define Security Policies:
    • Identify Needs: Determine the specific security requirements of your network.
    • Establish Rules: Create rules that specify which types of packets are allowed or denied based on criteria like IP addresses, protocols, ports, and packet types.
  2. Configure Packet Filtering:
    • Access Control Lists (ACLs): Use ACLs on routers and switches to permit or deny traffic based on IP addresses and port numbers.
    • Firewall Rules: Configure firewall rules to filter traffic at various points within your network. This can be done using both hardware and software firewalls.
    • Default Deny: Implement a default deny policy, where any traffic that is not explicitly allowed is automatically denied.
  3. Implement Stateful and Stateless Filtering:
    • Stateless Filtering: Filters packets based solely on the header information, without considering the state of the connection. Ideal for basic filtering tasks.
    • Stateful Filtering: Tracks the state of active connections and makes filtering decisions based on the state of the connection. This is more effective for managing complex traffic flows.
  4. Deploy and Test Filters:
    • Deploy Filters: Apply the configured filters to the network devices.
    • Testing: Conduct thorough testing to ensure that legitimate traffic is allowed and malicious or unwanted traffic is blocked. This includes testing for edge cases and unexpected traffic patterns.
  5. Monitor and Maintain:
    • Logging: Enable logging to monitor the traffic that passes through the filters. This helps in identifying and responding to suspicious activity.
    • Regular Updates: Regularly update the filtering rules to adapt to new threats and changes in network infrastructure.
    • Performance Monitoring: Monitor the performance of the network to ensure that the filters are not causing undue latency or bottlenecks.
  6. Advanced Techniques:
    • Intrusion Detection Systems (IDS): Integrate IDS with packet filters to enhance detection capabilities.
    • Deep Packet Inspection (DPI): Use DPI for a more thorough inspection of packet contents beyond headers, useful for identifying sophisticated threats.
    • Rate Limiting and Throttling: Implement rate limiting to protect against denial-of-service (DoS) attacks by controlling the amount of traffic allowed from specific sources.

Example Configuration | Cisco Router ACL Example:
! Deny all inbound traffic from a specific IP
access-list 100 deny ip 192.168.1.10 0.0.0.0 any

! Permit all other traffic
access-list 100 permit ip any any

! Apply the ACL to an interface
interface GigabitEthernet0/0
 ip access-group 100 in

Linux iptables Example:
# Drop all incoming traffic from a specific IP
iptables -A INPUT -s 192.168.1.10 -j DROP

# Allow all other incoming traffic
iptables -A INPUT -j ACCEPT

By implementing packet filters effectively, you can significantly enhance your network's security posture, creating a robust first line of defense against unauthorized access and malicious activities.

How Packet Filters work

Packet filters are text files composed of sequential rules that either allow or block the packet. Packet filters are read and then acted upon on a rule-by-rule basis. Packet filters work best for restricting certain IP addresses and TCP and UDP applications from entering or leaving your network.


Packet Screening

Packet screening
Packet screening

Location 1 The packet filter tells the router to filter the content of IP packets based on the source IP address, destination IP address, TCP/UDP source port, and TCP/UDP destination port fields.
Location 2 In packet filtering, the rules are executed sequentially. Once a packet has failed any portion of a filter, the subsequent rules will not be read.
Location 3 The allow action routes the packet as normal if all conditions within the rule are met. The block action discards all packets if the conditions in the rule are not met. Packet filters discard any packet unless it has specifically been allowed within a rule.
Location 4 Rule 1 allows any host with the network address 192.168.10.0 to initiate a TCP session on any destination IP address on port 21.
Location 5 The second rule blocks any packet originating from any remote address with a source port of 20 and contacting a host with a network address 192.168.10.0 on any port less than 1024. If any packet meets the conditions of rule 2, it will be immediately discarded, and rule 3 will never be executed
Location 6 The third rule allows any remote address that has a source port of 20 and is contacting any host with a network address of 192.168.10.0 on any port. Rule 3 is necessary because packet filters work by excluding all inbound and outbound traffic unless such traffic has been specifically allowed by a rule.

Packet Filter Screening

Packet filters can be used to screen entire applications or network IDs. For example, a packet filter could restrict all inbound traffic to a specific host. This restriction would prevent a hacker from being able to contact any other host within the internal network. Screening routers must be configured with routing tables for both the internal and the public networks. These routing tables display part of your internal network to the outside world.
  • Screening Router Weaknesses: Packet filters take the IP addressing information at face value. If a packet passes all the rules, it will be routed to the destination. If a hacker spoofs his or her source address with a source address that is specifically allowed by a rule within the filter, the firewall will pass or route the packet.

Packet Filter Rule - Exercise

Click the Exercise button to configure a firewall using packet filter rules.
Packet Filter Rule - Exercise
[1]Screening router:Examines inbound and outbound packets based upon filter rules. Screening router is another term for a packet filter.

SEMrush Software 3 SEMrush Banner 3