Lecture 1 - Packet Filtering

What is a packet Filter?

What is a packet Filter?

-Software that limits connectivity

• Blocks ingress and/or egress traffic

• Typically uses some form of rule-based filtering

  • Rules are combined into a ruleset

  • Best practice allow what you want then deny everything else

• The term firewall is commonly used in lieu of the correct term packet filter

  • A firewall always includes a packet filter

  • Not all packet filters are firewalls

How are packet filters packaged?

-Software that interacts with existing IP stack

• Software “Firewalls“

  • Windows firewall, iptables, pf, etc

• Replacement IP stack

  • Bastion host

    • Rare in modern implementations

• Specialized network device

  • Hardware firewalls

    • Cisco PIX/ASA, Checkpoint Firewall/1, Juniper NetScreen, etc

Packet Filtering

-Limit access based on address criteria

-Always use IP address - never DNS names

• DNS is far easier to spoof than IP addresses

-IP filtering

• Control access based on source/destination IP address

-Vulnerable to IP spoofing

• Directly - be on the same subnetwork and play ARP games

• Remotely - use IP source routing

  • i.e. Loose Source Record Routing

Loose Source Record Routing

-You tell the packet that it must go through a specific router

• Often used to allow access to networks that would otherwise be unreachable

-Enables a machine to spoof an address and still have traffic find it correctly

-ALWAYS disable LSRR on your border routers and firewalls

• The source routed packets will still get to you, but you will return them through the “normal“ routes, effectively providing no way for the traffic to get to the bad host

• Should be the default at this point in time

UDP and TCP Port Numbers

-UDP and TCP communication is based on numbered ports

• There are separate source and destination ports

-Only destination ports are standardized

• Loosely- no one polices the use of ports in non-standard ways

-Source ports are chosen randomly

• From port 1024+

Types of Port Filtering

-Static

• Only allow traffic based on port number or IP/port number combination

  • Allows more granularity than IP only filtering

• Each packet is checked independently

-Dynamic

• AKA stateful packet inspection

  • Created by CheckPoint in Firewall/1 in 1993

• Checks the context of the packet as well as the src/dst addresses

Destination Static Port Filtering

-Examine and filter based on the destination port number

• Only allow traffic destined for port 25 traffic to a mail server for instance

-Major limitation - Only works if a server responds to incoming messages on the port received

• Such as a web server

• If the server would respond from port 25 all traffic could flow

Source Static Port Forwarding

-Difficult to do effectively

-Source ports are typically randomly chosen from numbers above 1023

• Ports 1023 and lower are reserved

-When a sever sends a message it will use a RANDOM source port of 1023 or greater

• The return traffic (SMTP is TCP) comes back for ACK/NAK it would be blocked by the firewall

-The most basic work-around to this is to allow incoming traffic for any port greater than 1023

• Although serviceable this creates a huge security hole

• Anything can listen on a higher port number

• Some standard traffic types use these higher port numbers as well

Bi-Directional Static Filters

-We can add security to this approach by also looking at the source port for ingress traffic

• Known as bi-directional filters

-For out mail server we could allow any traffic destined for port 25 or from port 25

• This would ensure that we are theoretically dealing with a mail server at the other end of the connection

-However, there is no guarantee that the process running on port 25 is actually a mail server - it could be virtually anything

• It could be an exploit spoofing SMTP targeted at any port > 1023

TCP Static Source Port Filtering

-For TCP we have another tool available

-Only allow ingress traffic on ports > 1023 that have the ACK bit set in the TCP header

• Ensures that these packets are part of a data flow

-Reliable solution for outgoing traffic

• Doesn’t solve anything for incoming connections

-Doesn’t work for flows that dynamically open multiple connections

• Such as FTP (non-passive) or H.323

  • Can be worked around by using passive mode FTP (PASV) where the client opens all connections

  • Most FTP implementations will work in passive mode

UDP Source Port Static Filtering

-We’re basically screwed

• As UDP is connectionless there are no ACK flags to check

• The best best is to simply deny UDP

• Might not be possible

  • DNS, SIP, etc. use UDP

• For DNS you can use DNS forwarding and limit by IP address to your ISP’s upstream DNS server

Dynamic Packet Filtering

-Keeps ports closed until needed

• Will not show a port open on a port scan

-Controls access to open ports based on the context of the communication as well as protocol and detail information

• Builds a state table of information about the communications

  • Checks sequence numbers of incoming and outgoing TCP packets

  • Keeps track of UDP data flows

• Can require/provide authentication upon session startup

• Can examine application layer to ensure that the traffic is what it purports to be

-Packets from the outside are still delivered directly to the inside and vice/versa

• SPI is still a packet filtering firewall

What to do with blocked traffic?

-Send an ICMP “host not reachable“ message

• Can cause other end of connection to not re-try with an allowed traffic type

-Send and ICMP “host not administratively reachable“ message

• Tells a hacker that there is a firewall blocking this type of traffic (and to try something else)

-Send nothing

• The other end may continue to re-try the connection wasting bandwidth and system capacity

• However, this is the considered the safest solution

Packet Filter Strength and Weaknesses

-Strengths

• Usually fast - can approach line speeds

-Weaknesses

• The internal and external machines communication directly - once we allow the communication we have no idea what occurs

• Limited (with SPI) authentication/authorization of users

• There is usually little to no logging

A properly configured packet filters is immune to IP address spoofing (T/F)

False

The biggest disadvantage of packet filtering is that a direct connection is made between the source and destination (T/F)

True

Stateful Packet Inspection is another term for application layer gateway (T/F)

False

Best practice is to send an ICMP host not reachable message when a packet is blocked by a firewall (T/F)

False

Using a UDP static filtering and allowing outgoing connection effectively opens up all non-reserved UDP ports for incoming traffic (T/F)

True