S 4.98 Restricting communication to a minimum with packet filters

Initiation responsibility: Head of IT Section, IT Security Management

Implementation responsibility: Administrators

Packet filters are IT systems with special software which filter the information of the lower layers of the OSI model and pass on or intercept packets in accordance with special rules (see S 2.74 Selection of a suitable packet filter).

The configuration of a packet filter that is used to protect Internet servers should be very restrictive, so as to maximise resistance to attacks. Although a well-configured Internet server (seeS 4.95 ) should be able to protect itself against attacks, the software on an Internet server is much more complex and more susceptible to errors than that of a packet filter designed for security. The packet filter should only allow those communication channels through which are necessary for operation of the Internet server. In particular, it is necessary to control not only communication that is initiated from the Internet to the Internet server, but also communication which the Internet server is allowed to set up to the Internet. For many attacks it is a necessary precondition that the attacked computer must be able to establish new connections to the Internet. If this is not possible, many attacks will not be successful. In 1997, for example, an attack on a news server was very "popular", where the attacker was able to exploit an error in a news daemon to have important system information sent to him by e-mail. If the attacked computers had not had the authorisation to send e-mails, the attacker would not have received a return message. The attack would not have succeeded.

A few examples of the configuration of packet filters for various Internet servers are shown below.

1. WWW server:

Internet has access to port 80 of WWW server TCP

WWW server has access to Internet from port 80 TCP/ack, nothing else!

2. News server:

Newsfeed servers have access to port 119 of news server TCP

News server has access from port 119 to newsfeed server TCP/ack

News server has access to port 119 of newsfeed server TCP

Newsfeed servers has access from port 119 to the news server TCP/ack

3. E-mail server (provider makes e-mail gateway available):

E-mail server of provider has access to port 25 of e-mail server TCP

E-mail server has access from port 25 to provider's e-mail server TCP/ack

E-mail server has access to port 25 of provider's e-mail server TCP

Provider's e-mail server has access from port 25 to e-mail server TCP/ack

4. E-mail server (sending to Internet itself):

Internet has access to port 25 of e-mail server TCP

E-mail server has access from port 25 to Internet TCP/ack

E-mail server has access to port 25 in Internet TCP

Internet has access from port 25 to e-mail server TCP/ack

If these rules are implemented alone, the establishment of communication from the Internet is restricted to the enabled services. If the communication partners can be further restricted (see above examples 2 and 3), an attacker cannot set up any direct connection to the Internet server at all.

Note: The above rules may have the effect that the Internet server cannot be reached from every computer because ICMP is not let through. It is therefore advisable to let the ICMP subtype icmp unreachable through from the Internet to the Internet server.