Possible packet filtering criteria
Network packets may be filtered on a number of criteria,
such as their routing properties (for IP and ICMP),
and transport and service properties (for TCP and UDP).
By examining the headers of TCP/IP traffic,
we can detect obviously falsified traffic:
- filter on each IP packet's source address.
Packets which arrive on a network interface connected to the
outside of our internal network (i.e. the Internet)
and announce their source address as being from the internal network,
probably have spoofed source addresses.
- filter on each IP packet's destination address.
Packets destined for an internal network address should not leave the
network via an external interface.
- filter based on specific low-level routing or transport protocols,
such as denying all ICMP or UDP traffic from leaving,
- filter based on application protocols, such as permitting HTTP and
FTP requests to leave, but not permitting NFS mount requests to enter, and
- filter based on recent activity.
Stateful filtering (or stateful inspection)
has knowledge of recent traffic;
for example, stateful FTP filtering permits an incoming
FTP data-connection request, only if a corresponding outgoing
control-connection already exists.
CITS3002 Computer Networks, Lecture 11, Security of TCP/IP, p18, 15th May 2024.
|
CITS3002