Transcript Document
network appliances to filter network traffic
filter on header (largely based on layers 3-5)
Internet
Intranet
Destination IP
Source IP
Destination Port
Source Port
Flag (TCP-only)
ACK - acknowledge
FIN - final
PSH - push
RST - reset
SYN - synchronize
URG - urgent
static packet filtering
dynamic packet filtering
stateful packet filtering
proxy server
static packet filtering
Network manager configures access control lists
Packets are compared to access control lists
packet
Example: block
Problems with static filtering
• Blocking FIN scanning
• Difficult to filter ICMP
Internet Control Message Protocol
- designed for Internet testing/maintenance
- does not use ports
- has type field
0 - echo reply
3 - destination unreachable
4 - source quench (from overloaded router)
5 - redirect (indicates a better path)
6 - echo request
9 - router advertisement (for new routers)
10 - router solicitation (host request for advertisement)
11 - time exceeded (packet header may include time)
12 - parameter problem (catch all for errors)
13 - time stamp request (checking link speed)
14 - time stamp reply
dynamic packet filtering
Includes all capabilities of static filtering
Maintains an Active Sessions Table
ACLs
packet
Example: block external FIN scan
stateful packet filtering
Includes all capabilities of dynamic filtering
Also “understands” certain application behavior
ACLs
Active Sessions Table
packet
Example: better control over UDP, NFS, RPC
proxy server
Messages to destination IP are rerouted to a proxy
The proxy communicates on behalf of the destination
The proxy may also communicate with destination
packet
destination