S 4.98 Restricting communication to a minimum with packet filters

Initiation responsibility: Head of IT, IT Security Officer

Implementation responsibility: Administrator

Packet filters are IT systems with special software filtering the information in the lower layers of the OSI model and then forwarding or rejecting packets according to specific rules (see S 2.74 Selection of a suitable packet filter).

The configuration of a packet filter used for protecting Internet servers should be very restrictive in order to maximise the resistance against attacks. A well configured Internet server (see S 4.95 Minimal operating system) should be capable of protecting itself against attacks, but the software of an Internet server is much more complex and prone to error than the software of a packet filter designed for security. The packet filter should only permit those communication channels necessary for the function of the Internet servers. In particular, not only the communication initiated from the Internet to the Internet server, but also the communication the Internet server is allowed to establish to the Internet must be controlled. A prerequisite for many attacks is that the attacked computer is capable of establishing new connections to the Internet. If this is not possible, many attacks are unsuccessful. For example, an attack on news servers was very wide spread in 1997, within the framework of which the attacker managed to have important system information sent to him/her via email using an error in a news daemon. If the attacked computers did not have the authorisation for sending emails, the attacker would not have received any response and the attack would not have been successful.

Some examples for the configuration of packet filters for different Internet servers are described below.

• Web servers:
  • internet may access port 80 and/or 443 for SSL/TLS of the TCP web server
  • web server may connect to the internet from port 80 and/or 443 for SSL/TLS, TCP/ack, nothing else!
• News servers:
  • newsfeed servers may connect to port 119 of the TCP news server
  • news server may connect from port 119 to TCP/ack newsfeed server
  • news server may connect to port 119 of the TCP newsfeed servers
  • newsfeed servers may connect from port 119 to the TCP/ack news server
• Email servers (provider provides email gateway):
  • email server of the provider may connect from port 25 of the TCP email server
  • email server may connect from port 25 to the email servers of the TCP/ack provider
  • email server may connect to port 25 of the email server of the TCP provider
  • email server of the provider may connect from port 25 to TCP/ack email servers
• Email servers (direct sending to the internet):
  • internet may connect to port 25 of the TCP email serve
  • email server may connect from port 25 to TCP/ack internet
  • email server may connect to port 25 in the TCP internet
  • internet may connect from port 25 to the TCP/ack email server
• DNS servers:
  • resolving DNS server may connect to port 53 of the UDP advertising DNS server
  • advertising DNS server may connect to all ports of the UDP resolving DNS server (only necessary for stateless firewall)
  • resolving DNS server may connect to port 53 of its UDP forwarder
  • forwarder may connect to all ports of the UDP resolving DNS server (only necessary for stateless firewall)
  • external network may connect to port 53 of the UDP advertising DNS server
  • advertising DNS server may connect to all ports of external UDP and TCP DNS servers (only necessary for stateless firewall)
  • internal network may connect to port 53 of the UDP resolving DNS server
  • resolving DNS server may connect to all ports of the internal UDP network (only necessary for stateless firewall)
  • primary DNS server may connect to port 53 of its secondary UDP and TCP DNS servers
  • secondary DNS server may connect to port 53 of its primary UDP and TCP DNS server

If only these rules are implemented, communication from the Internet can only be established to the approved services. If the communication partners can be restricted even further (see examples above), an attacker is not capable of establishing any connection to the Internet server.

Note: The abovementioned rules result in the Internet server not being available from every computer, since ICMP is rejected. Therefore, it is recommendable to allow the ICMP sub-type icmp unreachable from the Internet to the Internet server.

Review questions:

• Does the packet filter only permit the necessary communication channels?