Packet Filtering Techniques

Questions and Answers

Which of the following best describes a packet according to the text?

• A detailed report of network errors and warnings.
• A collection of various network protocols.
• A continuous stream of data without specific boundaries.
• A discrete block of data that is a basic unit handled by a network. (correct)

Packet filtering involves examining the entire content of a packet, not just its header.

False (B)

What two parts does each packet consist of?

header and data

A ______ acts like a 'doorman,' reviewing the packet header before sending it to a specific location within the network.

packet filter

Which of the following network devices is commonly used for packet filtering?

Routers (C)

Operating systems do not include built-in utilities for filtering packets.

False (B)

What is the main function of software firewalls in relation to packets?

filter packets

Firewall ______ are standalone hardware and software devices with self-contained components.

appliances

Which part of a packet contains information typically read only by computers?

The header (A)

The 'data' portion of a packet is what end users typically see.

True (A)

What is the main role of lower-networking protocols in the context of packets?

break them into frames

The Internet Header Length describes the length of the header in ______-bit words.

32

What does the 'Type of Service' field in an IP packet indicate?

Which of four service options is used to transmit the packet. (A)

The 'Time to Live' (TTL) field in a packet is measured in seconds.

False (B)

What does the 'Protocol' field identify within the data portion of a packet?

ip protocol

Each packet sent and received across the Internet is encoded into ______.

binary

If the Time to Live (TTL) is an 8-bit value, what is the maximum number of hops a packet's life can represent?

255 (D)

Packet filters always examine packet headers and the entire content before making a decision.

False (B)

What is the primary action of an 'allow' rule in packet filtering?

packets pass

According to common packet-filtering practices, ICMP redirect or echo (ping) messages are typically ______.

filtered out

For a small-scale, software-only personal firewall, what should be set up to allow communications between computers on a local network?

An access list that includes all of the computers in local network by name or IP address. (D)

Stateless packet filtering maintains a record of the state of a connection.

False (B)

What is compared against the header data in stateless filtering to determine if a packet should be forwarded?

rule base

The ______ flag indicates that the destination computer has received packets that were previously sent.

acknowledgement (ACK)

Which IP header criteria is used to allow only certain computers or devices to access your network resources?

Source IP Address (A)

Filtering by TCP or UDP port number is also known as IP address filtering.

False (B)

What is the general management protocol for TCP/IP diagnosed by ICMP?

internet control message protocol

If a packet arrives at the firewall from an external network but contains an IP address that is inside the protected network, the firewall should send a(n) ______.

alert message

How does a stateful packet filter improve upon stateless packet filtering?

By maintaining a record of the state of a connection. (B)

Stateful packet inspection verifies the packet data itself, not just the headers.

False (B)

What does a proxy gateway look at in a packet to decide which application should handle it?

the data

A specialty firewall will scan the bodies of emails and web pages or pages seeking ______ or other offensive content.

profanities

What three actions should be established with packet-filter rules to ensure a solid firewall?

Control traffic, block harmful packets, and pass legitimate traffic. (C)

Best practice allows for a direct firewall device from a public network.

False (B)

What kind of data is routed through a well-configured SMTP gateway via a firewall?

simple mail transport

HTTP traffic should be prevented from reaching internal networks via implementation of some form of ______ or DMZ architecture

proxy access

Within the rules that cover multiple variations, what type of packets should be blocked from getting to the internal LAN?

Potentially harmful packets (B)

The Internet Control Message Protocol (ICMP) packets cannot be altered

False (B)

What is the best way to prevent changes to your routing tables?

redirect

Rules that enable web traffic cover standard http traffic on tcp port ______.

80

Match the following ICMP rules with their descriptions:

Echo Request = Gives external computers the ability to ping external computers. Echo Reply = Enables computers to receive ping replies from external hosts. Destination Unreachable = Enables computers to receive packets stating that an external resource is unreachable. Source Quench = Lets external hosts tell internal hosts if the network is saturated.

Flashcards

What are Packets?

Discrete blocks of data, the basic unit handled by a network.

What is a Packet Filter?

Hardware or software that controls the transmission of information packets based on defined criteria, either allowing or blocking them.

What does a Packet Filter do?

A device that reviews the packet header to determine its destination within the network.

What are Routers?

A common packet filter found in networks.

What are Operating Systems used for?

Uses built-in utilities to filter packets with the TCP/IP stack of the server software.

What are Software Firewalls?

Programs that filter packets within an enterprise network.

What are Firewall Appliances?

Self-contained hardware and software devices that filter packets.

What is the Anatomy of an IP Packet?

Part of TCP/IP that transmits data in manageable chunks.

What is the Header of a Packet?

Contains info only read by computers, such as source, destination, and protocol.

What is the Data of a Packet?

The actual content seen by end users.

IP Packet: Version

Identifies the version of IP being used.

IP Packet: Header Length?

Describes the header's length in 32-bit words.

IP Packet: Type of Service?

Indicates service options like minimizing delay or maximizing throughput.

IP Packet: Total Length?

16-bit field indicating the total packet size.

IP Packet: Identification?

16-bit value aiding the division of data stream into packets.

IP Packet: Information Flags?

3-bit value telling if a packet is a fragment.

IP Packet: Fragment Offset?

Indicates a fragment's position in a sequence.

IP Packet: Time To Live (TTL)

8-bit value identifying maximum time in the system before being dropped.

IP Packet: Protocol?

Identifies the IP protocol used in the data portion.

IP Packet: Header Checksum?

The sum of the 16-bit packet header values.

IP Packet: Source IP Address?

The address of the sending computer or device.

IP Packet: Destination IP Address?

The address of the destination computer or device.

How are packets encoded?

Binary code is used to encode packets sent/received via the Internet.

"Allow" Rules

Rules that allow packets to pass through a firewall.

"Deny" Rules

Rules that drop packets, preventing them from passing through a firewall.

Common Packet Filtering Rule

Rules that drop inbound connections, excluding those configured for specific servers.

Software Firewalls with Access List?

Small-scale firewall setups to allow communication between computers, by name/IP.

Local network trusted zone?

Machines listed in trusted status.

Stateless Packet Filtering

Packets are reviewed only from the header content.

When is stateless packets useful?

Blocking traffic from a subnet or network.

IP header criteria filtering?

Header data is compare against rule.

What does the ACK flag indicate?

Shows if the destination computer has received the previously sent packets.

Source IP address?

Filter criteria based on the sending IP.

Destination IP address?

Filter criteria to connect hosts to public servers

Protocol

Filter option to set certain protocols to available.

TCP/ UDP port number filtering?

Used by firewall to filter protocols with variety information.

ICMP

This protocol is used for diagnosing communication problems.

Firewalls in ICMP?

Firewalls filter by determining ICMP packet allowance.

Fragmentation Flags?

Filtering based on packet fragmentation flags during reassembly.

What does ACK flags filters offer?

Allow access of packets where the ACK bit is set.

What are Suspicious packets?

Filters that send alters when a invalid IP arrives.

Study Notes

Overview

• Chapter 5 is about Packet Filtering
• Describes packets and how packet filtering works
• Explains different packet filtering approaches
• How to configure specific filtering rules based on business requirements

Introduction

• Packets are discrete blocks of data
• Packets are the basic unit of data handled by a network
• Network traffic is broken down into packets for network transmission
• Packets are reassembled at the destination
• Packet filters are software or hardware that allows or blocks transmission of data packets based on defined criteria

Understanding Packets and Packet Filtering

• Packet filtering acts like a doorman by reviewing the packet header
• Then it sends the packet to a specific location within the network

Packet-Filtering Devices

• Routers are typical packet filters
• Operating systems have built-in utilities to filter packets at the TCP/IP stack level
• Software firewalls are mostly enterprise-level programs that filter packets
• Firewall appliances are standalone hardware and software that have self-contained components

Anatomy of a Packet

• Packets are part of Transport Control Protocol/Internet Protocol (TCP/IP)
• TCP/IP transmits data in small, manageable chunks
• Packets start as messages developed by high-level protocols
• High-level messages are formatted into usable datasets
• Lower-networking protocols break packets into frames, which are coded as electronic pulses on the media
• Packets consist of a header and data
• The header contains information normally read by computers
• The data is the part seen by end users
• An IP packet header has several elements
• Indicates the IP version
• Internet Header Length describes the header in 32-bit words
• Type of Service indicates which of four service options is used to transmit the packet:
• Minimize delay
• Maximize throughput
• Maximize reliability
• Minimize cost
• 16-bit Total Length field indicates the packet's total length
• 16-bit Identification value aids in dividing the data stream into packets
• 3-bit Information Flags value indicates if the packet is a fragment or not
• Fragment Offset indicates where the fragment belongs in the sequence of fragments for reassembly purposes if data is a fragment
• 8-bit Time to Live (TTL) identifies the maximum time the packet can remain in the system before being dropped
• Protocol identifies the IP protocol used in the packet's data portion
• Header Checksum sums all 16-bit values in the packet header for a single value
• Source IP Address is the address of the computer or device that sent the IP packet
• Destination IP Address is the address of the computer or device that is to receive the IP packet
• Options can contain a security field and source routing fields
• The Data section that part that end users actually see
• Trailer or footer contains data to indicates the end of the packet; this is optional

Technical Details: The Binary Connection

• Packets sent and received online are encoded into binary (1s and 0s)
• Time to Live (TTL) is an 8-bit value
• In binary, a packet can live between 00000001 and 11111111, from 1 to 255 hops (device transfers)

Packet-Filtering Rules

• "Allow" rules permits a packet to pass
• "Deny" rules cause a packet to be dropped
• Packet filters only examine packet headers
• Common packet filtering rules are:
• Drop all inbound connections except connection requests for configured servers
• Eliminate packets bound for all ports that should not be available to the Internet
• Filter out any ICMP redirect or echo (ping) messages
• Drop all packets that use the IP header source routing feature
• A small-scale, software-only personal firewall should set up an access list with local network computers by name or IP address to allow communication between them
• An easy way to identify computers on the local network is to put them in a trusted zone
• All traffic using a protocol can be blocked on certain ports
• Specific ports or programs can be added to only enable required functionalities

Packet-Filtering Methods

• Stateless packet filtering reviews packet header content
• It allows or drops packets based on whether a connection has been established between an external and internal host
• Stateful packet filtering maintains a record of a connection's state and can make informed decisions
• Packet filtering uses contents of the data part of a packet and the header to make decisions

Stateless Packet Filtering

• Stateless packet filters are useful for blocking all traffic from a subnet or network
• Filtering on IP header criteria compares header data to a rule base and forwards it if a rule is matched
• Acknowledgement (ACK) flag:
• Indicates a receiving computer has received the packets that were sent
• Can be used to determine connection status
• Filtering can also be based on Destination IP address
• Which enables external hosts to connect to public DMZ servers, but not internal LAN hosts.
• The IP Protocol ID field for filtering is the Internet Group Management Protocol (IGMP).
• That enables a computer to identify its multicast
• Filtering by TCP or UDP port number helps filter a wide variety of information and is known as port or protocol filtering
• Internet Control Message Protocol (ICMP) is a general management protocol
• Used to diagnose communication problems and communicate certain status information
• Firewalls or packet filters must be able type, and based on message, whether an ICMP packet should pass or not
• TCP or UDP port number appears in fragments numbered 0
• Firewalls should reassemble fragmented packets to make the admit/drop decision
• Firewalls can be set to allow packets with the ACK bit set to 1 for only the specified ports and direction
• Suspicious inbound packets can be filtered that arrive at the firewall from an external network but contains an IP address that is inside the network
• firewalls can be set to send alert message
• Many default rules applies to all protocols and ports

Stateful Packet Filtering

• Stateful filters do everything a stateless filter can
• It can maintain a record of connect state
• Powerful enterprise firewalls do stateful packet filtering
• Current connections are listed in a state table
• Stateful packet filtering inspects only header information with no verification of content.
• It may allow traffic bound for well-known ports while blocking other ports

Filtering Based on Packet Content

• Some traffic uses packets that are difficult to filter reliably
• Stateful inspection examines contents of packets and headers
• Proxy gateway directs data to the correct application
• Specialty firewalls look at the body of e-mail messages or Web pages for offensive content

Setting Specific Packet Filter Rules

• Establish filter rules to control traffic to resources
• Block potentially harmful packets
• Pass packets that contain legitimate traffic

Best Practice Firewall Rules

• Ensure firewalls are not directly accessible from a public network
• Simple Mail Transport Protocol (SMTP) data should pass through a firewall, but be routed to a well-configured SMTP gateway
• Deny all Internet Control Message Protocol (ICMP) data
• Block Telnet access to all internal servers from public networks
• HTTP traffic needs to be prevented from reaching internal networks, proxy access or DMZ architecture needs to be implemented
• All firewall rules should be tested before placing them into production use.

Rules That Cover Multiple Variations

• Packet-filter rules should account for all possible ports and variations within a protocol
• Rules created and modified as a result of trial and error
• Firewalls and two routers are typical of used LAN, blocking potentially harmful packets from getting to the internal LAN
• Rules allow Web, FTP, and email

Rules for ICMP Packets

• ICMP packets are easily forged and used to redirect other communications
• Packet Internet Groper (a ping) determines if a host is unreachable
• Need to establish specific ICMP commands
• Rules to send and receive needed ICMP packets
• Blocking those that open internal hosts to intruders

Rules That Enable Web Access

• Standard HTTP traffic on TCP Port 80 and Secure HTTP (HTTPS) traffic on TCP Port 443 can be covered via rules
• Rules for Internet-accessible Web server are described in Table 5-4

Rules That Enable DNS

• Users must be able to resolve FQDNs
• DNS enables use of UDP Port 53 or TCP Port 53 for attempts to connection
• Rules enable external clients to access computers in own network using same TCP and UDP ports; as described in table 5-5

Technical Details: DNS

• DNS has structure for organizing Internet names associated with IP addresses
• Facilitates easy remembrance of site locations for HTTP, FTP, and other services
• DNS Works through a set of servers
• Root servers store the base address
• Provides the IP address of the primary name server for the organization registered with that domain name
• Name servers also know the location of any specific devices associated with the tertiary name service

Rules That Enable FTP

• FTP transactions can be either active or passive
• FTP Supports two separate connections:
• TCP Port 21: FTP control port
• TCP 20: FTP data port
• FTP Client can establish a connection with the FTP server at any port above 1023
• With Table 5-6, specify the FTP server IP address

Rules That Enable E-Mail

• Difficult to set up firewalls for e-mail, since a large variety of e-mail protocols exist
• Configuration in Table 5-7 uses POP3 and SMTP for inbound and outbound e-mail
• Assess whether your organization needs to accept incoming e-mail messages and whether users can access external mail services

Summary

• Packets are the basic units of data over a network
• Packet filtering can be done by a variety of hardware devices and software firewalls
• Packet-filtering devices evaluate information in packet headers and compare it to established rules per network usage policy
• Stateless packet filtering is the simplest packet-filtering method by only reviewing the packet header for decisions
• Stateful packet filtering maintains the state of a connection for more sophisticated analysis