HostedDB - Dedicated UNIX Servers
index_33
UNCLASSIFIED Router Security Principles and Goals  Version 1.0g  UNCLASSIFIED 33   3.2.2.    Packet Filters for TCP/IP A packet filter for TCP/IP services provides control of the data transfer between networks based on addresses and protocols.  Routers can apply filters in different ways.  Some routers have filters that apply to network services in both inbound and outbound directions, while others have filters that apply only in one direction.  (Many services are bi-directional.  For example, a user on System A telnets to System B, and System B sends some type of response back to System A.  So, some routers need two filters to handle bi-directional services.)  Most routers can filter on one or more of the following:  source IP address, source port, destination IP address, destination port, and protocol type.  Some routers can even filter on any bit or any pattern of bits in the IP header.  However, routers do not have the capability to filter on the content of services (e.g. FTP file name). Packet filters are especially important for routers that act as the gateway between trusted and untrusted networks.  In that role, the router can enforce security policy, rejecting protocols and restricting ports according to the policies of the trusted network.  Filters are also important for their ability to enforce addressing constraints.   For example, in the Figure 3-1, the router should enforce the constraint that packets sent from the Firewall or protected network (right to left) must bear a source address within a particular range.  This is sometimes called  egress filtering.  Similarly, the router should enforce the constraint that packets arriving from the Internet must bear a source address outside the range valid for the protected network.  This is called ingress filtering. Two key characteristics of TCP/IP packet filters are length and ordering.  A filter consists of one or more rules, with each rule either accepting or denying a certain set of packets.  The number of rules in a filter determines its length.  Generally, as the length grows the filter becomes more complex and more difficult to troubleshoot.   The order of the rules in a packet filter is critical.  When the router analyzes a packet against a filter the packet is compared to each filter rule in sequential order.  If a match is found then the packet is either permitted or denied and the rest of the filter is ignored.  If no match is found then the packet is denied due to the implicit deny rule at the end of the filter.  You must carefully create filter rules in the proper order so that all packets are treated according to the intended security policy.  One method of ordering involves placing those rules that will handle the bulk of the traffic as close to the beginning of the filter as possible. Consequently, the length and ordering of a packet filter rule set can affect the performance for passing packets through the router.*                                                  * This discussion is applicable to the packet filtering facilities of Cisco routers and most other kinds of routers.  Cisco filtering is discussed in detail in Section 4.3.  If you have a router made by a company other than Cisco Systems, consult its documentation for details.