Transcript Document

 network appliances to filter network traffic
 filter on header (largely based on layers 3-5)
Internet
Intranet
Destination IP
Source IP
Destination Port
Source Port
Flag (TCP-only)
ACK - acknowledge
FIN - final
PSH - push
RST - reset
SYN - synchronize
URG - urgent
 static packet filtering
 dynamic packet filtering
 stateful packet filtering
 proxy server
 static packet filtering
 Network manager configures access control lists
 Packets are compared to access control lists
packet
 Example: block
Problems with static filtering
• Blocking FIN scanning
• Difficult to filter ICMP
Internet Control Message Protocol
- designed for Internet testing/maintenance
- does not use ports
- has type field
0 - echo reply
3 - destination unreachable
4 - source quench (from overloaded router)
5 - redirect (indicates a better path)
6 - echo request
9 - router advertisement (for new routers)
10 - router solicitation (host request for advertisement)
11 - time exceeded (packet header may include time)
12 - parameter problem (catch all for errors)
13 - time stamp request (checking link speed)
14 - time stamp reply
 dynamic packet filtering
 Includes all capabilities of static filtering
 Maintains an Active Sessions Table
ACLs
packet
 Example: block external FIN scan
 stateful packet filtering
 Includes all capabilities of dynamic filtering
 Also “understands” certain application behavior
ACLs
Active Sessions Table
packet
 Example: better control over UDP, NFS, RPC
 proxy server
 Messages to destination IP are rerouted to a proxy
 The proxy communicates on behalf of the destination
 The proxy may also communicate with destination
packet
destination