IT Baseline Protection Manual S 2.74 Selection of a suitable packet filter
S 2.74 Selection of a suitable packet filter
Initiation responsibility: Head of IT Section, IT Security Management
Implementation responsibility: Administrators
Packet filters are routers or computers with special software which use the information in layers three and four of the TCP/IP protocol family (IP, ICMP, ARP, TCP and UDP) for filtering packets. Access and deny lists are used in this regard.
In the event that a packet filter is required for a firewall, the following demands should be made upon purchase:
The filtering must be possible separately for each interface.
It must be possible to filter incoming and outgoing packets separately.
The filtering must be possible separately for individual computers or for complete sub-networks according to source and destination address.
The filtering must be possible separately according to source and destination port.
The order in which the filter rules are evaluated should not be automatically changed by the packet filter.
The order in which the filter rules are evaluated should be easily recognised, i.e. sufficiently documented.
The entry and control of filter rules must be simple and clear, e.g. by symbolic service and protocol names.
In case of TCP packets, it should be possible to determine whether an existing connection is being used or a connection is being established, i.e. to distinguish between packets with and without ACK.
It must be possible to record IP numbers, service, time and date for each packet. Selective logging for certain packets (e.g. only packets with a specific source address) has also to be possible.
It must be possible to send all logging information to an external host.
Special, adjustable events must lead to an immediate warning (e.g. repeated incorrect authentication attempts).
If a router is used as a packet filter, it should be possible to use static routing tables. In general, however, routers should not be used as packet filters as they have a very wide range of functions so that the filter attributes are often just offered as add-ons. This accordingly influences the creation and testing of the related software.
If a router is used as a packet filter, dynamic routing must be configured in such a way that routing packets (e.g. RIP) which affect the network requiring protection are only permitted on the interface connected to the network requiring protection.
It must be possible to reject packets with source routing information by default.
If required, the packet filter should support dynamic packet filtration. This means that during the transmission of UDP packets, for example, the related context is stored for a particular time period and the corresponding response packets are allowed to pass through.
Dynamic filters
Based on the definition of a packet filter as a filter which uses the information of layers three and four as a check, the limits of this procedure soon become apparent. Although it is possible, in the case of TCP (Transmission Control Protocol) to recognise the establishment of a connection and thereby prohibit connections from the Internet to the network requiring protection, this is no longer possible in the case of UDP (User Datagram Protocol). In order to solve this problem, dynamic packet filters are used. If a UDP packet is sent from an internal computer to a DNS server in the Internet, the dynamic packet filter stores the data (source and destination address, source and destination port) and produces a new permission rule for the response packets. This rule is only valid for a certain period, which can be adjusted. If no response packets are received, it is deleted.