Previous Table of Contents Next


FILTERS: THE MOST POPULAR DEFENSE

Filters are the most popular defense to ward off network attacks. The intent is to pass normal traffic while rejecting all attack traffic. Of course, the difficulty is in being able to recognize the difference between the two. Filters are normally based on the origin, the destination, and the kind of traffic. Traffic is permitted to flow from trusted or known sources to safe or intended destinations. Of course, most destinations will ignore traffic that is not addressed to them but will certainly listen to attack traffic that is addressed to them. Filtering on destination address can protect the system from seeing attack traffic at the expense of protecting it from all traffic.

Filters Implemented by Using Routers

In part, because networks are usually connected to each other through routers, routers are a favorite place to filter traffic. The same logic that is used by the router to decide where to send traffic can be used to reject traffic (i.e., to decide to send it to the “bit bucket.” For example, only those packets that appear to have originated on systems whose addresses are recognized (i.e., on a list of known systems) may be accepted.

Packets by Address: IP Address and Port

A filter must have criteria by which to decide which traffic to pass and which to reject. The criteria must appear in the packet. The most frequently used criteria are the IP origin and destination addresses. Typically, this is expressed as an address pair. In other words, traffic appearing to originate at A and addressed to B may pass this router. Although it could say all traffic originating at A may pass or all traffic intended for B may pass, this is significantly less rigorous or secure.

The origin and destination are usually expressed as IP addresses and may be further qualified by port. That is traffic originating on the mail port of A may pass to the mail port on B, but to no other port.

Protocols

The protocol is also visible in the packet and is useful for routing and security purposes. For example, the filter may pass traffic in the SMTP protocol to pass to the mail server, while not allowing other IP traffic addressed to the same service to pass. Because the intent of the traffic is more obvious in the higher-level protocols, filtering by protocol can be very effective and useful.

FIREWALLS

It is beyond the scope of this chapter to provide instruction on how to build or even to operate a firewall. Within the allotted space, it is difficult to simply convey an understanding of their nature and use. A basic definition and discussion follows.

The American Heritage Dictionary defines a firewall as “a fireproof wall used as a barrier to prevent the spread of a fire.” By analogy, a network firewall is a traffic-proof barrier used to prevent the spread of disorderly or malicious traffic. More specifically, a firewall is a special collection of hardware and software that connects two networks and that is used to protect each of the assumptions as to which side of the firewall a fire will start on.

Like most analogies, this one is instructive even at the extremes where it begins to break down. In the analogy, a firewall is assumed to resist fire equally in both directions. It is symmetric; it does not have to treat fire on one side of the wall differently from fire on the other. It must resist fire, but it must pass people. However, it is easy to distinguish people from fire, and all people and all fire, on either side of the wall, are treated the same. The task of the network firewall is to distinguish between threatening and nonthreatening traffic and to do so differently depending on which side the traffic originates. In the presence of fire, a firewall need not pass people; resisting fire is more important than passing people. However, the network firewall will rarely be permitted to reject all traffic in the name of rejecting all attack traffic. It will usually be required to pass legitimate traffic, even in the presence of known attack traffic.

Moreover, a firewall is not is a box; it is not a product that can be purchased off the shelf. At time of this writing, more than 40 vendors offer products that are described, at least in part, as firewalls. Although similarities among them exist, there are also fundamental differences in their approaches. Even given a complete understanding of company requirements and security policy, gaining sufficient knowledge about tens of products to decide which one is most appropriate is a major challenge.

Firewall Policy Positions

Four fundamental policy positions are available to network operators. The firewall policy will be the result of these postures and of the applications on the network.

Paranoid. The first of these positions is called paranoid. It is motivated by extreme caution and probably fear, and characterized by the absence of a connection to the Internet.


Previous Table of Contents Next

Copyright © CRC Press LLC