Packet filters

A packet-filter based firewall inspects the information in the header of the data packets and uses this information to decide whether the packet should be allowed through or not. The information checked for data packets includes:

The rules defined in a packet-filter based firewall can decide, for example, whether packets from a particular IP address range are allowed to be forwarded to the local network, or whether packets for certain services (i.e., specific port numbers) should be filtered. These measures can be used to restrict or prevent communication with certain computers or entire networks, or the use of particular services. Rules can be combined. For example, you may want to allow only computers with specific IP addresses to access the Internet via TCP port 80, while disabling this service for all other computers.

The configuration of packet-filtering firewalls is relatively simple, and the list of allowed or forbidden packets can be quickly extended. Since the resources required for a packet filter to perform well are relatively modest, packet filters are usually implemented directly in routers, which anyway operate as an interface between the networks.

The disadvantage of packet filters is that the list of rules can become difficult to manage over time. Furthermore, some services negotiate the ports for their connections dynamically. For this communication to work, the administrator is forced to leave open any ports that may potentially be required, which of course goes against the principles of most security concepts.

An example of a process that causes difficulties for simple packet filters is establishing an FTP connection from a computer in its own LAN to an FTP server on the Internet. With the widely used active FTP, the client sends a request (from the protected LAN) via a higher numbered port (> 1023) to port 21 of the server. The client informs the server about which port it expects for the connection. The server then establishes a connection from its port 20 to the port requested by the client.





To enable this operation, even though it is impossible to know in advance which ports the client will request for the FTP connection, the administrator of the packet filter is forced to open all ports for inbound connections. An alternative is to use passive FTP. Here, the client itself establishes the connection to the server using a port which it previously communicated to the server. However, this method is not supported by all clients/servers.

Using the comparison of the firewall with a doorman once again, the doorman only checks whether or not he knows the courier at the door with the parcel. If the doorman knows the courier and has previously allowed him to enter the building, the courier may enter unhindered and unchecked and go to the recipient's workstation for all subsequent orders.

www.lancom-systems.com

LANCOM Systems GmbH | A Rohde & Schwarz Company | Adenauerstr. 20/B2 | 52146 Wuerselen | Germany | E‑Mail info@lancom.de

LANCOM Logo