index_33
UNCLASSIFIED
Router Security Principles and Goals
Version 1.0g
UNCLASSIFIED
33
3.2.2. Packet Filters for TCP/IP
A packet filter for TCP/IP services provides control of the data transfer between
networks based on addresses and protocols. Routers can apply filters in different
ways. Some routers have filters that apply to network services in both inbound and
outbound directions, while others have filters that apply only in one direction. (Many
services are bi-directional. For example, a user on System A telnets to System B, and
System B sends some type of response back to System A. So, some routers need two
filters to handle bi-directional services.) Most routers can filter on one or more of the
following: source IP address, source port, destination IP address, destination port,
and protocol type. Some routers can even filter on any bit or any pattern of bits in the
IP header. However, routers do not have the capability to filter on the content of
services (e.g. FTP file name).
Packet filters are especially important for routers that act as the gateway between
trusted and untrusted networks. In that role, the router can enforce security policy,
rejecting protocols and restricting ports according to the policies of the trusted
network. Filters are also important for their ability to enforce addressing constraints.
For example, in the Figure 3-1, the router should enforce the constraint that packets
sent from the Firewall or protected network (right to left) must bear a source address
within a particular range. This is sometimes called egress filtering. Similarly, the
router should enforce the constraint that packets arriving from the Internet must bear
a source address outside the range valid for the protected network. This is called
ingress filtering.
Two key characteristics of TCP/IP packet filters are length and ordering. A filter
consists of one or more rules, with each rule either accepting or denying a certain set
of packets. The number of rules in a filter determines its length. Generally, as the
length grows the filter becomes more complex and more difficult to troubleshoot.
The order of the rules in a packet filter is critical. When the router analyzes a packet
against a filter the packet is compared to each filter rule in sequential order. If a
match is found then the packet is either permitted or denied and the rest of the filter is
ignored. If no match is found then the packet is denied due to the implicit deny rule
at the end of the filter. You must carefully create filter rules in the proper order so
that all packets are treated according to the intended security policy. One method of
ordering involves placing those rules that will handle the bulk of the traffic as close
to the beginning of the filter as possible. Consequently, the length and ordering of a
packet filter rule set can affect the performance for passing packets through the
router.*
*
This discussion is applicable to the packet filtering facilities of Cisco routers and most other
kinds of routers. Cisco filtering is discussed in detail in Section 4.3. If you have a router
made by a company other than Cisco Systems, consult its documentation for details.