Packet Filter Firewall

Posted on 11:19 AM by Bharathvn

The oldest firewall technology is the packet filter, which looks at each packet as it passes through a network interface. This technology originated on Cisco routers around the year 1985. The implementation of this technology was quite simple and its concepts have been passed on to all subsequent firewall technologies.

A packet filter does exactly what its name suggests — it filters packets. The technology is designed to either allow an individual packet or deny it based on the configured filter or Access Control List (ACL).

An ACL consists of several different criteria that you can configure. At the end of each ACL is an implicit deny. This will drop any traffic that is not explicitly allowed.

The original implementation of packet filters is allowed only for the combination of source and destination Internet Protocol, or IP, addresses.

Packet filtering is a fairly basic mechanism to control access into or out of a network. This model induced a strict allow or deny policy based upon IP address alone. If the source IP address were allowed to the destination, the source would have access to all services on the destination. In the beginning, this was
sufficient, but it was far from ideal.

As new network-based services became available, the requirement to reduce the level of access between sources and destinations increased. Because hosts now served dozens of different services, restricting access to a specific service was required. New revisions of packet filters came into existence. The second iteration of filtering capabilities allowed for the inclusion of source port, destination port, and IP protocol type as decision criteria. This change created a much stricter security implementation. Access between hosts or networks could be restricted down to the service port and protocol such as Transmission Control Protocol (TCP), User Datagram Protocol (UDP), and IP. For protocols such as Internet Control Message Protocol (ICMP), the specific message types could also be selected.

A great Web site to use to learn more about TCP/IP is www.tcpipguide.com. This information can also be found in book form (The TCP/IP Guide, No Starch Press, ISBN 159327047X).

Although security capability increased, so did the complexity of the situation. Because the inspection of packets has now gone beyond just IP addressing, the problem of dealing with the bidirectional nature of communications comes into play. When two hosts talk to each other using TCP, for example, they use a set of ports. The initiating host talks to its destination host using a random port greater than 1025 to a static port of the destination host. When creating an access list, you must specify the static port of the destination host. You can see this in the following pseudo code:

From source IP X to dest IP Y with source port 1025-65535 to destination port 80

Although this ingress-based policy is very straightforward, creating a return policy to restrict egress traffic is not as easy. Because the nature of TCP communications involves the creation of two separate flows to create a session, you must configure an inverse policy to allow return traffic from the server
back to the host. You can see this in the following pseudo code:

From source IP X to dest IP Y with source port 80 to destination port 1025-65535

The issue here is that the source IP address can now access the destination on any port. Although this does not seem like an issue, it ends up being a huge problem by allowing unsolicited connections back through the network to the destination host. The possibility thereby exists for an attacker to attempt to hijack sessions or exploit vulnerabilities on the OS or its hosted services. This situation created the need to monitor the state of the connection. The resulting technology is called a stateful firewall, which it is discussed in the following section.

Although this development may seem to render ACLs completely useless, the reality is quite the contrary. Packet filtering technology is still used today and it is considered best practice to do so. The technology is deployed in many locations where monitoring state is not required. You can filter out network garbage such as specific protocols or ports that you may not want your firewall to deal with. Some
routers are capable of doing this in hardware-based processing, which allows for line rate filtering of network traffic.

The capabilities of a packet filter today are extended in many ways. In some devices, you can filter down at a very low level. The pseudo code that follows this paragraph is an example. You can now look deeper in the packet to make a match, which includes looking deeper inside of protocols to look at specific flags
or options being set. Doing so extends the older firewall technology to keep it relevant today.

From source IP X to dest IP Y with TCP flag SYN and TCP flag FIN
OR
From source any to destination any where IP protocol is equal to 50