S 2.74 Selection of a suitable packet filter

Initiation responsibility: Head of IT, IT Security Officer

Implementation responsibility: Administrator

In the transport and network layers, the functions of a security gateway are assumed by packet filters. The function of a packet filter is to process data packets using information contained in the header data of the UDP/IP or TCP/IP layer (e.g. IP address and port number). This decision is made by the packet filter using the filter rules defined by the administrator. In many cases, a packet filter also offers an option for Network Address Translation (NAT), in which the sender addresses of IP packets are replaced by an IP address of the packet filter. This is done to hide the network structure of the network to be protected.

The filter rules are processed for every incoming data packet in sequence. Normally, as soon as a rule applies to a packet, the check is terminated and the relevant rule is employed on that packet.

Packet filters can be further broken down in terms of the filtering options offered.

Static packet filters

Packet filters that make a decision on the basis of the header data in the UDP/IP and TCP/IP layers (e.g. using the IP source address, the IP destination address and the TCP flags) are referred to as static packet filters.

Dynamic packet filters/stateful inspection

Dynamic packet filters (also referred to as packet filters with stateful inspection) extend the functionality of static packet filters to include the possibility of considering the communication context. Dynamic packet filters can also make decisions with connectionless protocols (like UDP) as to whether an incoming packet is the response to a query or relates to the initiation of communication. Moreover it is also possible to provide services that are not associated with fixed port numbers securely, as here packets are always forwarded, irrespective of port number, if preceded by a suitable query from the trusted network.

A dynamic packet filter stores the source IP address and source port number for outgoing packets for a certain time period. Incoming IP packets are only forwarded if their destination IP address and destination port numbers are still held in memory, i.e. if a query was previously initiated from the trusted network and the specified hold period has not yet been exceeded.

Moreover, packet filters with stateful inspection usually allow the possibility of examining the data transmitted in the application layer.

Forms of implementation of packet filters

1. Computer configured as a packet filter, using an operating system that provides the necessary functionality

Advantages	Disadvantages
Depending on the operating system used, the investment costs are relatively low.	If there is a problem requiring any of the hardware to be replaced, the computer may be out of service for some time, as the operating system may need to be reinstalled or configured. Relatively complex to configure as minimal system (compared with a router with packet filter function). A certain amount of know-how is required to configure the computer as a minimal system. The PC hardware is often more vulnerable than the hardware of appliances, as the latter normally do not contain any hard disks or fans. The administration costs are usually higher than in the case of appliances, as there is usually no configuration user interface. Complexity is often higher than with appliances.

Advantages

Disadvantages

Depending on the operating system used, the investment costs are relatively low.

If there is a problem requiring any of the hardware to be replaced, the computer may be out of service for some time, as the operating system may need to be reinstalled or configured.
Relatively complex to configure as minimal system (compared with a router with packet filter function).
A certain amount of know-how is required to configure the computer as a minimal system.
The PC hardware is often more vulnerable than the hardware of appliances, as the latter normally do not contain any hard disks or fans.
The administration costs are usually higher than in the case of appliances, as there is usually no configuration user interface.
Complexity is often higher than with appliances.

Table 1: configuration of a computer as packet filter

2. Configuration of filter rules on a router

Advantages	Disadvantages
No investment costs if there is already a router available. Compared with computer-based packet filters, there is a low probability of failure, as routers usually have better availability.	Expandability is often limited on routers. Configuration may be more difficult than on appliances or computer-based packet filters. If the router has been set up at and is administered by a service provider, then the security functions of the router cannot be checked by in-house personnel.

Table 2: advantages and disadvantages of defining filter rules on a router

3. Use of an appliance

Advantages	Disadvantages
Quick to implement. Simple configuration of the functions provided (possibly over web interface) Simple configuration, as appliances often offer administration user interfaces. Appliances often support automatic updates. Probability of failure tends to be lower than with computer-based packet filters, as appliances often contain fewer "moving parts" (e.g. hard disk or fans) than normal computers.	Little scope for extending proprietary hardware and software. A failure may cause the router to be out of service for an extended period as it will often be necessary to return the equipment to the manufacturer unless an appropriate maintenance contract is in place. It may therefore be necessary to purchase a spare unit that can serve as a "cold standby". Little information available on the secure configuration and secure operation regarding special products (in addition to the information provided by the manufacturer). This can be especially problematic when the manufacturer discontinues support. Some appliances may not be widely used. In this case, there may be few consultants or service providers able to administer them.

Advantages

Disadvantages

Quick to implement.
Simple configuration of the functions provided (possibly over web interface)
Simple configuration, as appliances often offer administration user interfaces.
Appliances often support automatic updates.
Probability of failure tends to be lower than with computer-based packet filters, as appliances often contain fewer "moving parts" (e.g. hard disk or fans) than normal computers.

Little scope for extending proprietary hardware and software.
A failure may cause the router to be out of service for an extended period as it will often be necessary to return the equipment to the manufacturer unless an appropriate maintenance contract is in place. It may therefore be necessary to purchase a spare unit that can serve as a "cold standby".
Little information available on the secure configuration and secure operation regarding special products (in addition to the information provided by the manufacturer). This can be especially problematic when the manufacturer discontinues support.
Some appliances may not be widely used. In this case, there may be few consultants or service providers able to administer them.

Table 3: Use of an appliance

Requirements for packet filters

Under all three implementation forms, it may be possible to automatically work out the packet filter configuration from the settings of any ALG that exists. This has the advantage of reducing the necessary configuration effort, but at the expense of lower security, as a configuration error on the ALG automatically implies misconfiguration of the packet filter.

Before purchasing anything, it is necessary to check which of the following requirements the ALG will be fulfilling. Depending on the application context, it may be possible to dispense with some of the requirements, i.e. it is necessary to carry out an assessment of the requirements listed in the application context.

The following possibilities should be supported by the packet filter:

Forwarding or rejection of packets on the basis of
- source IP and destination IP address of individual computers or networks
- source and destination ports
- ICMP type
- all TCP flags (URG, ACK, PSH, RST, SYN, FIN). For example, with the ACK bit it is possible to distinguish between packets relating to connection setup and packets relating to an established connection. By checking the other bits, IP packets with nonsensical combinations of TCP flags can be rejected.
- the IP options
Support for the following actions
- packet forwarding ("allow")
- packet rejection ("deny & drop")
- rejection of packet and notification of the sender ("deny & reject")

Creation of filter rules separately for each interface of the packet filter
Separate filtering of inbound and outbound packets
Unalterable specification of the sequence in which the filter rules should be applied
Logging of IP address, service, time and date for every packet, but also limited to particular packets
If a router is used as a packet filter, it must be possible to configure the dynamic routing in such a way that routing packets (e.g. RIP) which affect the network requiring protection are only permitted on the interface connected to the network requiring protection
Protection against IP spoofing
If the security gateway comprises a single packet filter without ALG, then the following additional functions must be supported:
- port forwarding (often also referred to as "destination NAT")
- network address translation (NAT). Also support for:
  - replacement of IP ID
  - replacement of TTL
- stateful inspection

The requirements that packet filters have to satisfy and the reasons behind the choice that was actually made should be documented in a comprehensible manner.

Review questions:

Have the requirements for packet filters and the reasons behind the choice that was actually made been documented in a comprehensible manner?