Documente Academic
Documente Profesional
Documente Cultură
Packet Filtering
Packet filtering is one of the oldest and most widely available means to
control access to networks. The concept is simple: Determine whether a
packet is allowed to enter or exit the network by comparing some basic
identifying pieces of information located in the packet's header. Packetfiltering technology can be found in operating systems, software and
hardware firewalls, and as a security feature of most routers.
The goal of this chapter is to explore the highlights and weaknesses of
packet-filtering technology and how to implement this technology
successfully. We discuss the basics of TCP/IP and how it applies to packet
filtering, along with the rules of how to implement packet filters using Cisco
router access lists. We explore uses for rules that filter on source address,
such as the allowance and prohibition of traffic from given hosts and ingress
and egress filters. We also cover filters that examine destination addresses
and make decisions based on port numbers and their uses for improved
control of traffic flow. We examine the problems of the packet filter,
including its weaknesses to spoofing, fragmentation, control of return traffic,
and the problems with poking an always-open hole in your defense. Finally,
we explore the power of dynamic packet filters and the ways they can help
correct many of the downfalls of static packet filtering.
TCP/IP Primer: How Packet Filtering Works
IP Version 6
The version of IP protocol that is most commonly used on the Internet
today and that we are referring to in this chapter is IP version 4
(IPv4). It was created in the 1980s and has many limitations that have
required expansions to keep it valid into the twenty-first century.
Those limitations include a restricted address space, no integrated
security, no integrated means to automatically assign addresses, and
the list goes on. Although technologies were created as "band-aids" to
help overcome these issues (NAT, IPSec, and DHCP), it wasn't long
before development began on a replacement version. In the 90s, IP
version 6 (IPv6) was born. It has a much larger potential address
space made up of eight 16-bit values, instead of IPv4's four 8-bit
values. IPv4 addresses are most commonly notated as decimals in the
format 192.168.1.1, where the decimal numbers are some value
between 0 and 255 (2^8). IPv6 addresses are notated as hexadecimal
in the format 1234:ABCD:1A2B:4321:CDEF:C5D6:789D:F12A,
where the hexadecimal numbers are some value between 0 and FFFF
(or 0 and 65535 decimal, 2^16). Hexadecimal is used to keep the
already long IPv6 addresses notation more concise and readable. One
shorthand method of IPv6 notating involves abbreviating lists of
zeroes with double colons (::). For example, the IPv6 address
1234:5678:0000:0000:0000:0000:0000:1AF4 can instead be listed as
1234:5678::1AF4. The double colons indicate that all digits between
those listed are zeroes. Other improvements that IPv6 offers are
integrated authentication and encryption methods, automatic address
assignment capabilities, improved Quality of Service (QoS) methods,
and an improved header format that moves anything but essential
routing information to extension headers, allowing for quicker
processing. Despite all its advantages, IPv6 is still not heavily
implemented. As a network administrator it is important that you are
aware of IPv6 and its possible advantages for your environment, even
2
though you may not be required to use it for years to come. For more
information on the IPv6 standard, refer to RFC 2460.
When an IP packet arrives at a router, the router checks its destination to see
whether it knows how to get to the place where the packet wants to go. If it
does, it passes the packet to the appropriate network segment. The fact that a
router passes any packet whose destination it is aware of is called implicit
permit. Unless further security measures are added, all traffic is allowed in as
well as out. For this reason, a method is required to control the information
entering and exiting the interfaces of the router.
TCP and UDP Ports
The TCP part of TCP/IP stands for Transmission Control Protocol, and it is a
reliable transport-oriented way for information to be communicated. User
Datagram Protocol (UDP) is an unreliable transport protocol that works well
with programs that don't rely on the protocol to make sure their payload gets
where it's going. Both TCP and UDP use ports to keep track of
communication sessions. Certain ports are set aside as the particular ones
through which to contact a server running a given service such as HTTP (port
80), FTP (port 21), Telnet (port 23), DNS (port 53), or SMTP (port 25).
(These services and how to secure them are discussed in more detail later.)
The original RFC that documents well-known ports is RFC 1700. However,
for a more up-to-date informative list of all of TCP's and UDP's server-side
ports and the services to which they are assigned, check out this link to the
IANA website: http://www.iana.org/assignments/port-numbers. IANA is the
Internet Assigned Numbers Authoritythe good people who track the number
standards for the Internet as we know it.
When a client contacts a server, it randomly picks a source port numbered
above 1023 to go out through. Then the client contacts the server on a set
port, such as port 23 for Telnet. When the server replies, the information
leaves on port 23 and returns to the client on the random greater-than 1023
port from which it left. This port information is the only way that a packet
filter can determine the service it is filtering.
For example, you might want to filter out all Telnet traffic; you do so by
blocking all traffic directed at TCP port 23. You might also want to allow all
HTTP traffic coming to port 80. However, if someone is running a Telnet
server on port 80 somewhere on your network, and all you have for
3
protection is the aforementioned packet filter, the traffic passes. Packetfiltering systems don't have the intelligence to look beyond the port number
to determine what service is running at the application layer. You need to
keep this in mind when constructing filtering rules to block access to a
service that you are running on an alternative port. Sometimes, web servers
run on alternative ports, such as 8000, 8080, and the like; if you wanted to
allow access to said web servers, then creating a packet-filtering rule that
allows in standard HTTP traffic on port 80 wouldn't be effective.
TCP's Three-way Handshake
The Cisco ACL is one of the most available packet filters found today. The
means by which a Cisco router filters packets is known as an access control
list (ACL). An ACL serves as a laundry list of things for the router to look at
in the packet header, to decide whether the packet should be permitted or
denied access to a network segment. This is the basis of the traffic-control
features of a Cisco router.
Routers are a convenient choice for network filtering because they are
already a part of your network's infrastructure. One is located at your
4
Although examples in this chapter are given as Cisco access lists, other
software programs and devices use similar technology. Following is an
example of IPChains, one such program. IPChains is a packet-filtering
system that comes bundled with many versions of Linux. Though IPChains is
not as popular as it once was, being superseded by IPTables, you may still run
into it or choose to deploy it as an effective packet filtering mechanism for
your server or network.
If you wanted to block HTTP traffic from anywhere to your host
200.200.200.2 and log the matches, you would use the Cisco ACL:
access-list 111 deny tcp any host 200.200.200.2 eq 80 log
where A input means to place this rule on the end of the existing input
chain.
i eth1 tells IPChains to apply this rule to the interface etH1, -p tells the
protocol to watch for TCP, the -s parameter sets the source address, and
0.0.0.0/0 indicates to watch for any source address.
The /0 is the wildcard, and it means to match the specified bits exactly.
Because the wildcard is 0 in this case, it means "don't match anything exactly
or allow anything." This is equivalent to the Cisco any keyword.
The -d parameter is the destination address. In this example, it is equal to the
host address 200.200.200.2 because the /32 wildcard mask is used. It tells
IPChains to match the first 32 bits (or everything) exactly. This is equivalent
to using the 0.0.0.0 wildcard or the host keyword in Cisco ACLs.
The destination address in this case is followed by the port number of the
blocked protocol (80, for HTTP traffic). If the source port were filtered as
well, it would have followed the source address.
Finally, the -l parameter means "log this information," and j DENY stipulates
that any matching packets should be dropped and not to send any information
of this back to the sender. It is the counterpart to the Cisco deny keyword.
As you can see, although similar in function, static packet filters come in
different forms. Despite the differences in appearance and syntax, after you
have a grasp of packet-filtering concepts, your knowledge can be applied to
any of these filtration systems.
The Cisco ACL
The Cisco ACL is simply a means to filter traffic that crosses your router. It
has two major syntax types numbered and named lists and it comes in several
filtering types, including standard, extended, and reflexive, all of which will
be discussed in this chapter. Numbered access lists are entered in the format
access-list number criteria
where number is a given range that represents the type of access list it is. The
range 199 represents standard IP lists, and the range 100199 represents
extended IP lists. Over time, these basic ranges have been expanded to
include 13001999 for standard and 20002699 for extended. Other access list
number ranges are reserved for alternative protocols, and so on.
The named access list uses the format
ip access-list type name
where the type code stands for standard, extended, and so on, and the name
code represents a unique name for the list. This can help make the list more
identifiable. For example, "dnsinbound" might mean more to someone than
the number "113" does.
Upon entering the preceding command to start list creation, you are dropped
into a configuration mode just for that access list. Here, you can enter
filtering commands in the following format:
permit|deny
criteria
Either type of ACL works well and can be used separately or together.
Although standard and extended lists can be written in either format,
reflexive access lists can use only the named format. To remove either type of
ACL, reenter it preceded by the word no.
6
Rule Order
Many of the access lists demonstrated throughout this text are "deny" access
lists that show how to block a particular address or port. However, because of
a concept called implicit deny, dropping such a list into an otherwise empty
router configuration could cause the blocking of all traffic! Implicit deny
takes place when as little as one access list is added to an interface on a Cisco
router. The router stops its standard behavior of forwarding all routable traffic
and instead begins comparing all packets received to the newly added access
list. If the traffic doesn't match the applied access list(s), it is dropped.
Adding one simple access list changes the behavior of the router entirely.
Only packets that match the added access list as permitted traffic are allowed.
When multiple rules are added, even more concerns arise. Because rules are
processed from the top down and a packet only has to pass or fail one rule to
be dropped or allowed into the network, it is imperative to put specific filters
before general filters. Otherwise, a more general rule might allow a packet
access that may have been denied by another more specific rule later in the
access list. When a packet "matches" a rule, the packet is immediately
dropped (if it is a deny rule) or forwarded (if it is a permit rule) without being
tested by the rest of the access list entries.
Be careful when planning the order of access list rules. That is why a
complete access list rulebase needs to be laid out in advance and built from
the ground up. Adding rules carelessly is a sure recipe for disaster.
Note
Whenever possible, assemble your access lists following the precept "allow
what you need" rather than "deny what you don't."
Cisco IOS Basics
One of the things that packet-filtering technology is great for is the blocking
or allowing of traffic based on the IP address of the source system. Some
ways that this technology can be usefully applied are filters blocking specific
hosts (blacklisting), filters allowing specific hosts (such as business partners),
and in the implementation of ingress and egress filters. Any of these
examples can be implemented on a Cisco router by using a "standard" access
list.
The standard access list is used to specifically allow or disallow traffic from a
given source IP address only. It cannot filter based on destination or port
number. Because of these limitations, the standard access list is fast and
should be preferred when the source address is the only criteria on which you
need to filter.
The syntax for a standard access list is as follows:
access-list list number
source address mask log
1-99
or
1300-1999
permit
|deny
Notice that when ACLs were first created, the list number had to be 199. This
range was expanded in IOS version 12.0(1) to include the numbers 13001999. The only way that the Cisco IOS can identify the list as a standard ACL
is if a list number in one of these two ranges is used. The mask option is a
required wildcard mask, which tells the router whether this is a single host we
9
This filter's list number is 11. It denies any packet with a source network
address of 190.190.190 with any source host address. It is applied to the
interface inbound, so it filters the traffic on the way into the router's interface.
The command to apply the access list to your serial 1 interface would be
router(config-if)#ip access-group 11 in
One popular use of the standard access list is the "blacklisting" of particular
host networks. This means that you can block a single host or an entire
network from accessing your network. The most popular reason for blocking
a given address is mischief. If your intrusion detection system (IDS) shows
that you are being scanned constantly by a given address, or you have found
13
Spyware
Once I was perusing my logs to check for Internet connections from
my network during off-hours to see if anything peculiar was going
on. I noticed some connections that were initiated in the middle of
the night from various stations, repeatedly contacting a similar
network address. I did some research on the address and determined
that the maker of a popular freeware program owned it.
After a brief inspection of one of the "beaconing" stations, I found
that the freeware program in question was loaded on the system.
14
Another way you can use a standard access list is to permit traffic from a
given IP address. However, this is not recommended. Allowing access to an
address in this manner, without any kind of authentication, can make you a
candidate for attacks and scans that use spoofed addresses. Because we can
only filter on source address with a standard ACL, any inside device with an
IP address can be accessed. Also, it's impossible to protect individual services
on those devices. If you need to set up access like this and can't do it through
a solution that requires authentication or some type of VPN, it is probably
best to at least use an access list that considers more than the source address.
We'll discuss this more in the section on extended access lists. However, this
type of access may be suitable in situations requiring less security, such as
access between internal network segments. For example, if Bob in accounting
needs access to your intranet server segment, a standard ACL would be a
simple way to allow his station access.
Ingress Filtering
For example, imagine that you are in a world in which reserved private
addresses don't exist. You are installing a new private network for your
business that will have access to the Internet and will be running TCP/IP, so
you will have to come up with a range of IP addresses for your stations. You
don't want these stations to have public addressing because they won't be
serving information to the Internet, and you will be accessing the Internet
through a proxy server. You pick a range of IP addresses at random (say,
190.190.190.0255). You configure your stations and set up Internet access.
Everything is working great until the first time you attempt to access your
bank's website and receive an error. You call the bank, and the bank says that
everything is fine on its end. You eventually come to discover that the bank is
right. The bank's system you were trying to contact has a public IP address of
190.190.190.10, the same address you have configured for one of your own
stations. Every time your web browser goes to send information to the bank,
it never even leaves your internal network. You've been asking your CAD
station for a web page, and because your CAD station doesn't run web server
software, you've just been getting an error. This example paints a clearer
picture of why reserved addresses are so important for the interrelationship of
public and private TCP/IP networks.
The reserved ranges are as follows:
Class A: 10.0.0.010.255.255.255
Class B: 172.16.0.0172.31.255.255
Class C: 192.168.0.0192.168.255.255
Because these ranges are often used as internal network numbers, they are
good candidates for someone who is crafting packets or doing other
malicious packet-transmitting behavior, including denial of service.
Therefore, these ranges should be blocked at the outside of your network. In
addition, the loopback address 127.0.0.1 (the default address that all IP
stations use to "address" themselves) is another candidate for being blocked,
for the same reason. While you are blocking invalid addresses, you should
also block the multicast address range 224.0.0.0239.255.255.255 and the
invalid address 0.0.0.0. Following is a sample access list to accomplish this:
router(config)#access-list
router(config)#access-list
router(config)#access-list
router(config)#access-list
router(config)#access-list
router(config)#access-list
11
11
11
11
11
11
16
deny
deny
deny
deny
deny
deny
10.0.0.0 0.255.255.255
127.0.0.0 0.255.255.255
172.16.0.0 0.15.255.255
192.168.0.0 0.0.255.255
224.0.0.0 15.255.255.255
host 0.0.0.0
router(config-if)# ip access-group 11 in
These access lists are similar to the last one, denying access to the IP address
ranges listed in an inbound direction on the applied interface. Notice the
host keyword when blocking 0.0.0.0 in the previous example. When
blocking a single host, instead of following the IP address with the wildcard
0.0.0.0, you can precede the address with the keyword host. These lists have
the same "implicit deny" that any access list does. This means that
somewhere in access list number 11, a permit statement would have to exist;
otherwise, all inbound traffic would be denied! An example of an appropriate
permit statement might be one that allows the return of established traffic,
like the following:
router(config)#
established
access-list
111
permit
tcp
any
any
This is, however, an extended access list, which we'll talk more about later in
the section "Filtering by Port and Destination Address: The Cisco Extended
ACL."
It is also advisable that you create a rule to block traffic coming into your
network that claims to have a source address matching that of your internal
network, to complete your ingress access list. Valid traffic from the outside
world doesn't have to have the same addressing as your stations. However, if
this traffic is allowed to pass, it could bypass security mechanisms that think
the traffic is local. If you are using one of the standard private address ranges,
this is already done. If you're not, it would look like this:
router(config)#access-list 11 deny 201.201.201.0 0.0.0.255
17
Egress Filtering
Another use of standard access lists is for egress filters. The concept behind
an egress filter is that only packets with your network's source address should
be leaving your network. This seems like a forgone conclusion, but as stated
in the section on ingress filters, Trojans and other nefarious programs might
use a station on your network to send spoofed traffic to the rest of the world.
By creating an ACL that only allows your subnet's address in from your
network, you prevent this type of traffic from touching the outside world. Of
course, this won't help if the program doesn't spoof the source address, but
many such programs do to help slow the rate at which they can be traced.
Such an access list would look like this, assuming an internal network
address of 192.168.100.0:
router(config)#access-list 11 permit 192.168.1.0 0.0.0.255
Implicit deny takes care of denying all other source addresses. You could use
an extended access list to tighten this down even more and limit things such
as the types of traffic and destinations your stations are allowed to access.
This ACL would be applied to the inside interface inbound, effectively on the
outside edge of your router's network interface.
You might be wondering what the advantage is in implementing a rule such
as this. "What will this do for me?" you might be asking yourself. Well, it is
no different from dumping your tray at the local fast food restaurant; it's the
good neighbor policy. It doesn't do anything for you directly (other than
possibly prevent you from facing outside litigation), but if everyone did it, oh
what a world we would live in. Imagine the effect on distributed denial of
service attacks that use zombies stationed on innocent people's networks.
These filters (assuming that the denial of service [DoS] zombies take
advantage of some type of packet spoofing) could help cripple such zombies.
It is also possible to set up filters that prevent traffic from leaving your
network from specified systems. For example, imagine that you have a topsecret file server that has no Internet access. This system should only be
contacted from inside stations, and it should never contact the outside world
or be contacted from the outside world. You can place an ACL on the inside
router interface, inbound. It could be a part of the same access list that you
used for your egress filter, but it would have to be placed above the egress
filter because of the importance of rule order. If the top-secret file server's IP
address was 192.168.100.7, here is how the entire egress list would look:
18
The given host's packets would be filtered before the rule that allows all other
systems on the 192.168.100 network to enter the router. It should be noted
that this will deny all outbound traffic, so no Internet security updates or
downloading of the latest virus-definition file directly to this server.
Tracking Rejected Traffic
When creating Cisco router access lists, one of the greatest downfalls of the
log keyword is that it only records matches to the rule in question. Therefore,
if the rule is a permit rule, you lose the profoundly important information
about which packets are being denied. To track the traffic that is being
filtered by an implicit deny, add a "deny any" ACL with the log keyword (as
seen in the following example) to the bottom of the list in question.
Functionally, the deny any log command does the same thing as the
assumed implicit deny, but it facilitates the logging of denied traffic. One
good application of this concept is to track abnormal traffic that is being
filtered by the implicit deny at the end of an egress filter access list. Using
this method allows a means to track all outbound traffic that has a source
address other than that of your network. This is a great way to keep a handle
on any strange things that might be trying to sneak out of your network! Here
is a simple example of how you would tell the router to log blocked traffic:
access-list 11 deny any log
The Cisco extended ACL offers additional features that allow more control of
network traffic flow. Instead of only being able to filter on source address, we
have the additional flexibility of destination address filtering, filtering based
on protocol type, filtering on specific layer 4 port number information, flags,
19
and more. With this additional granularity, the effectiveness of the Cisco
router as a packet filter is greatly increased, making it viable for many
security concerns.
The extended access list syntax is as follows:
[View full width]
access-list number 100-199 or 2000-2699 permit|deny protocol
sourcesource-mask
source-port destination destination-maskdestination port
log|log-input options
You should recognize the first entries in the syntax from the standard access
list, up to the protocol keyword. This is where you would specify the
protocol you are interested in filtering. Possible selections are IP, TCP, UDP,
and ICMP. Because TCP, UDP, and ICMP are all forms of IP-based traffic,
when you use IP as the protocol on an access list, it permits or denies any of
the other three traffic types. If we had used an extended access list to
substitute for one of the standard access lists from the previous section, IP
would have been the appropriate choice because it would have blocked all IP
traffic types (UDP, TCP, and ICMP).
Remember the importance of rule order. Each incoming packet is checked by
each access list in order from top to bottom. When a packet matches the
criteria in any one of the access lists, an action is performed. If it is a permit
filter, the packet is forwarded; if it is a deny filter, the packet is dropped. No
rules test the packet beyond the rule that the packet matched. Use the
following code to allow a particular packet in (let's say that its IP address is
205.205.205.1) if it is TCP but to deny it entry if it uses any other IP protocol:
access-list 111 deny ip host 205.205.205.1 any
access-list 111 permit tcp host 205.205.205.1 any
The first rule would test true for a TCP packet of address 205.205.205.1.
Because it is a "deny" rule, the packet would be dropped. The packet would
never get to be tested by the second rule. If the two rules were reversed in
order, with the TCP rule first, the filter would work correctly.
In the extended access list's syntax, the source address and mask should look
familiar; the destination address and mask follow the same format, and
simply mean "where it is going" instead of "where it is from." The keyword
20
all addresses.
This is the first time you see ports listed as part of an access list. As
mentioned previously, ports are an important part of TCP/IP and the access
lists. The source port or destination port entry can specify the type of
traffic you want to allow or disallow. When specifying a port number or
name, you must also include an operator, such as eq (meaning equal to this
port number), gt (for any port above this number), lt (for any port less than
this number), or my favorite range (to list an entire contiguous range of port
numbers; use the syntax range port1 port2, where port1 is the first port
in the range and port2 is the last).
Extended access lists are configured and applied just like standard access
lists, including the association of an access group to an interface. Many
options can be added to the end of the access list, such as log (as mentioned
in the standard access list) or log-input (which also displays the input
interface and source MAC address), flags to check for, and the established
keyword.
"Friendly Net" Revisited
This example assumes that the trusted host is at address 100.100.100.1 and
our target web server is at address 200.200.200.2. We only allow traffic from
the trusted host on ephemeral ports, and only to port 80 on our web server.
We add the log keyword to track traffic that is passing this rule.
21
This is not secure. All this guarantees is that we have control over those
specified items, helping to lessen the ability of outsiders to exploit our
defense. This ACL can be subverted in other ways.
Only allowing port 80 traffic doesn't ensure that only web traffic will
transpire from the outside host to our web server. As a matter of fact, if a flaw
exists to be exploited in our web server, and an attacker can get a Telnet
program or other backdoor running on our web server on port 80, the server
might as well be wide open. If this system is on a private network and not on
a separate screened subnet, we are just a few leaps away from being fully
compromised, especially if the web server has a trust relationship with any
other mission-critical servers on our network.
Be sure to tightly harden the system if you elect to control access to its
resources solely through the use of packet filters, without further
authentication. If possible, run a multiple interface router (or packet-filtering
device) or multiple levels of packet-filtering devices where you can structure
a separate subnet for public access systems.
Filtering TCP and UDP Ports and ICMP Types
Another handy function of the extended access list is the filtering of certain
types of traffic. You can control the types of traffic that leave your network,
in effect enforcing your security policy. You can allow or disallow certain
types of traffic that enter your network. Denying traffic to a list of popular
Trojan program ports or to ports that programs use that conflict with your
Internet usage or security policies (IRC, Kazaa, instant messaging programs,
and so on) can also be an extra layer of defense. As stated previously, it
makes more sense to only allow what you need. A more common use of port
filtering is allowing traffic types that can enter or leave your network, like the
example in the previous section. For a list of mission-critical ports that any
environment should consider defending, see Appendix A of the SANS Top 20
Vulnerabilities, available at http://www.sans.org/top20.
Another use for this type of filtering is to allow or disallow certain
informative ICMP messages entrance to your network. ICMP is one of the
most exploited of the protocols. It is being used for reconnaissance, denial of
service attacks (such as smurf), and more. It is recommended that you block
incoming echo requests (ping and Windows traceroute), block any outgoing
echo replies, and block time exceeded, for maximum security. All the ICMP
traffic types can be blocked with extended ACLs. The use of any ICMP
blocking filters could affect network traffic control.
22
ICMP doesn't work like the other protocols. Instead of having port numbers,
it uses type and code identifiers. It is basically set up to send error messages
for protocols that can't (such as UDP and IP) and to send informational
messages (such as router error messages telling that a host is unreachable).
ICMP is used by popular end-to-end troubleshooting utilities such as ping
and traceroute. ICMP can be controlled by using Cisco access lists with
special ICMP keywords or ICMP type numbers, instead of port numbers such
as TCP and UDP access lists.
To block ICMP echo requests (ICMP type 8), we could use a line in an
extended access list such as this:
router(config)#access-list
request
111
deny
icmp
any
any
echo-
The main difference between this access list and others we have looked at is
the keyword at the end of the line. This keyword represents the ICMP type
and code for echo requests. It means, "deny any ICMP traffic from anywhere
to anywhere with the type and code set to echo-request." This filter would
be applied on the external router interface to the Internet. Other ICMP traffic
types can be filtered in the same way using their type-of-service keywords.
A better way to handle the ICMP blocking would be to allow only the types
of traffic that you want and then deny the rest. For example, one important
ICMP packet type to allow in is the packet-too-big ICMP unreachable
messages (type 3, code 4). This is because without this message, you could
have major communications issues. What if a host can't receive a packet
because it is too large for the router to handle and the router isn't allowed to
return information to the host telling it that the packet is too large? How will
the sender ever find out what is wrong and successfully communicate with
the host? Luckily, in this example, Cisco has an ICMP keyword for the
packet-too-big message. This keyword could be applied as follows,
permitting the packet-too-big messages, but denying all other ICMP
messages:
router(config)#access-list 111 permit icmp any any packettoo-big
router(config)#access-list 111 deny icmp any any
Despite the many positive uses of packet filters, problems exist due to
inherent limitations in the way packet filters work. Spoofed and fragmented
traffic can bypass the packet filter if protections aren't properly implemented.
In addition, because of the always-open nature of a "permit" static packet
filter, issues exist with opening such a "hole." Finally, allowing return traffic
can be difficult using a technology that lacks the ability to track the state of
the current traffic flow. To successfully defend a network with packet
filtering, these weaknesses must be understood.
Spoofing and Source Routing
filters come into play. The best place to cut off packets like these is where
they enter: on the perimeter router's interface that connects your network to
the Internet.
Fragments
25
This access list disallows any noninitial fragments that have matching IP
address information, but it allows non-fragments or initial fragments to
continue to the next access list entry because of the fragments keyword at
the end of the ACL. The initial fragments or non-fragments are denied or
allowed based on the access lists that follow the preceding example.
However, fragmented traffic is a normal part of some environments, and a
statement like the previous example would deny this normal traffic, as well as
maliciously fragmented traffic. This example would only be used in an
environment that warrants the highest security to fragmentation attacks,
without fear of the loss of potential usability.
Opening a "Hole" in a Static Packet Filter
One of the great flaws of static packet filtering is that to allow a protocol into
a network, you need to open a "hole." It is referred to as a hole because no
additional checking takes place of the type of traffic allowed in or out based
on more intelligent methods of detection. All you can do is open an
individual port on your protective wall; as with a bullet hole through a threefoot wall, you can't shoot anywhere else on the other side, but you can fire
straight through the existing hole repeatedly. The importance of this analogy
is that something must be on the other side at the port in question; otherwise,
you won't be able to hit it.
It is recommended when opening a port using an access list of this type that
you limit the target hosts as much as possible with the access list. Then, if
you have a secured server with all patches and no vulnerabilities (found as
often as elves and four leaf clovers) that you are allowing to service this port,
this isn't such a bad thing. However, if your host system is exploitable
through whatever port number you have open, it is possible that any traffic
can be sent through that "hole," not just the protocol that was running on the
host inside.
Two-way Traffic and the established Keyword
When we communicate with another host, it's not just us connecting to the
host, but also the host connecting to us a two-way connection. This presents a
26
This basic extended access list allows any TCP traffic that has the ACK bit
set, meaning that it allows only return traffic to pass. It is applied inbound on
the outside router interface, and it can log matches with the appended log
keyword. It also allows RST packets to enter (by definition) to help facilitate
proper TCP communication. A more secure version of this same list would be
this:
router(config)#access-list 101
192.168.1.0 0.0.0.255 gt 1023 est
router(config)#access-list 101
192.168.1.0 0.0.0.255 gt 1023 est
router(config)#access-list 101
192.168.1.0 0.0.0.255 gt 1023 est
router(config)#access-list 101
192.168.1.0 0.0.0.255 gt 1023 est
permit
log
permit
log
permit
log
permit
log
tcp
any
eq
80
tcp
any
eq
23
tcp
any
eq
25
tcp
any
eq
110
In this case, the inside network address is 192.168.1.0255. These access lists
are applied inbound on the external router interface. By writing your access
list this way, you allow traffic only from approved protocol port numbers
(web traffic, Telnet, email, and so on) to your internal network addresses, and
only to ephemeral ports on your systems. However, an access list of this type
still has problems. It would not support FTP for reasons we will go over in an
upcoming section, and it only handles TCP traffic.
The established Keyword and the Problem of DNS
Remember that the previous ACL did not allow UDP traffic or ICMP traffic.
The established (or est) keyword is only valid for TCP access lists.
Access lists allow needed ICMP and UDP traffic, which would have to be
included along side of this established access list, to form a
comprehensive filter set. Without UDP, outside DNS is a real problem,
disabling Internet functionality. This shows one of the biggest flaws of the
est keyword as an effective defense mechanism. To facilitate Internet access
with the est keyword, a UDP access list must be included, allowing any
DNS return traffic. Remember that return traffic is coming to a randomly
chosen port above 1023, which means that to effectively allow any DNS
responses, you need an access list like this:
access-list
101
permit
udp
host
172.16.100.0 0.0.0.255 gt 1023 log
28
192.168.1.1
eq
53
This ACL assumes that the external DNS server's address is 192.168.1.1 and
that your internal network is 172.16.100.0255. By adding this line to your
existing access list 101, you allow DNS responses to your network. However,
you also leave yourself open to outside access on ports greater than 1023
from that external DNS server. Your security red alert should be going off
about now! This would be a great argument for bringing DNS inside your
perimeter; however, that DNS server would then need to be able to access
outside DNS servers for queries and zone transfers. To allow the DNS server
to make outbound DNS queries, a similar access list would need to be added
to the router:
access-list 101 permit tcp any host 172.16.100.3 eq 53
access-list 101 permit udp any host 172.16.100.3 eq 53
This allows all traffic through port 53 to your inside (and hopefully wellhardened) DNS server. Ideally, such a public access server would be on a
separate screened subnet for maximum security.
Remember that neither solution provides for additional UDP or ICMP
support. If access to either is needed in your specific environment, more
"holes" have to be opened.
Protocol Problems: Extended Access Lists and FTP
File Transfer Protocol (FTP) is a popular means to move files back and forth
between remote systems. You need to be careful of outside FTP access
because it could allow a malicious user to pull company information or server
information (including password files) from inside servers. A user could
upload files in an attempt to fill a hard drive and crash a server, upload a
Trojan, or overwrite important server configuration files with ones that allow
compromise of the server.
FTP is also one of the more complicated services to secure because of the
way it works. Securing (or blocking) an incoming connection is relatively
easy, but securing outgoing FTP connections is considerably more difficult.
Let's take a look at a trace that shows standard FTP communication between
a client and a server.
First is the outgoing connection with TCP/IP's three-way handshake:
client.com.4567 > server.com.21: S 1234567890:1234567890(0)
server.com.21 > client.com.4567: S 3242456789:3242456789(0)
ack 1234567890
client.com.4567 > server.com.21: . ack 1
29
All traffic that comes from the server is established traffic, permitting
extended lists with the established keyword to function correctly. Using
PASV mode FTP requires both the FTP server and client to support PASV
mode transfers. Changing to passive FTP clients isn't a problem for most sites
because most popular FTP clients support PASV mode. Most of the major
web browsers support PASV mode FTP as well; however, this might require
some minor setup, such as going to a preferences section and selecting PASV
or passive FTP mode support. Using an ACL like the following example
would be one way to handle inbound return PASV FTP traffic:
30
tcp
any
gt
1023
that only return traffic is allowed (in theory), you must leave open all greaterthan 1023 TCP ports for return access because you don't know what data
channel port the FTP server you are contacting will choose.
Although this ACL is more secure than some of the previous options, it still
isn't a strong security stance. Wouldn't it be nice if it were possible to find out
what port number you were using to contact the PASV FTP server every time,
and use that information to allow the traffic back in?
Dynamic Packet Filtering and the Reflexive Access List
Many of the problems that face static packet filtering, the Cisco standard, and
extended access lists can be alleviated by dynamic packet-filtering
technology. The concept is that filters are built on-the-fly as needed and torn
down after connections are broken.
Reflexive access lists are examples of dynamic packet-filtering technology. A
criterion is set up on the outbound interface that watches defined connection
types to the outside world. When the traffic returns, it is compared to an
access list that was dynamically created as the outgoing traffic left the
network.
For example, perhaps you have a client that has an IP address of
192.168.100.2 and have set up a reflexive access list to check for TCP traffic
using the Telnet port. The reflexive access list would see the client sending
the Telnet packet out the greater than 1023 port (let's say 1072 was randomly
picked) to port 23 on some IP address (let's say 100.100.100.1) of a Telnet
server. The reflexive access list would then generate an incoming access list
based on this outgoing connection. It would take the outgoing connection
Client 192.168.100.2.1072 > telnet server 100.100.100.1.23
and reverse it into an incoming access list that permits traffic from
100.100.100.1 on port 23, to client 192.168.100.2 on port 1072, like this:
permit tcp host 100.100.100.1 eq 23 192.168.100.2 eq 1072
This dynamically generated list would be deleted after the connection was
ended (a graceful FIN exchange or RST packet was sent). Because this access
list type doesn't rely on the TCP flag bits set, it works with UDP and ICMP
traffic as well. For non-TCP traffic, the connection is torn down after a
timeout value expires. The timeout can be set per access list, or it can default
to the global timeout of 300 seconds. This feature allows maximum security
for return traffic because lists are created and removed for individual
communication sessions. This capability to keep track of connections makes
32
the reflexive access list the safest of the three access list types, but also the
slowest.
Syntactically, reflexive access lists are basically a subset of extended access
lists specifically, "named" extended access lists. Named lists were created in
Cisco IOS version 11.2 for two main reasons. First, large enterprises could
run out of numbers for access lists using the old method. Second, its name
could explain for what purpose the list was being used.
where name is the name of the access list you want to edit. The
prompt will change to look like this:
router(config-ext-nacl)#
In the past, a new entry would be placed after the last listed entry.
33
Notice the way that the prompt changes after entering the initial command,
which shows that we are now entering specific information into the named
access list. In the permit line, we have the reflect keyword and the name of
the reflexive access list with which we will be keeping track of our packet's
connection information. Of course, the last line applies the list to the network
interface, just like all previous examples, but now we do it by name. You
might remember from the explanation of reflexive access lists that every
connection has a dynamically created access list. These dynamic lists are
created based on an access list like the one in the previous example.
However, we need a component in the reverse direction to examine the
packets when they come back in. Take a look at a sample inbound filter:
router(config)#ip access-list extended infilter
router(config-ext-nacl)#evaluate mypackets
router(config-if)#ip access-group infilter in
This access list should look familiar, except for the second line. The
evaluate line checks the incoming packet flow versus the reflexive access
list information (in this case, mypackets) to see if it will pass the test of one
34
of its dynamically created lists. We now have a complete reflexive access list
with all its components!
FTP Problems Revisited with the Reflexive Access List
The filterout on this list permits all types of traffic out. Only TCP is
necessary for FTP, but the others are added to demonstrate a popular
configuration selection used with reflexive access lists, as mentioned
previously. The filterin evaluates the return traffic of the previous
outbound filter, and by the implied "deny all," it drops non-return FTP traffic
(and any other non-return traffic). The last group shows the application of the
filterin inbound and filterout outbound on the appropriate internal and
external ports. Filter order isn't an issue, as the example appears here. It is
possible to add other permit and deny access lists into this filter, being careful
to ensure that nothing permitting TCP port 21 traffic comes before the rule in
filterin and that the evaluate line terminates the list. The evaluate line
must always terminate the list.
You can test the effectiveness of this filter using a properly implemented
PASV FTP client. This filter, though the most secure of the FTP options you
have seen so far, still only works with PASV FTP. The only way to securely
allow standard FTP outbound through a Cisco router is by using a part of the
Cisco Secure Integrated Software (formerly the Firewall Feature Set) called
context-based access control (CBAC), which inspects traffic and watches for
inbound connections based on common behaviors of known protocols.
35
One of the greatest advantages of reflexive ACLs over extended ACLs with
the established keyword is that reflexive access lists can handle UDP and
ICMP traffic. One place that this is helpful is with DNS traffic.
As previously mentioned, incoming UDP DNS return traffic is an issue
because it can't be tracked by the established command; therefore, a
specific access list must be made to allow DNS return traffic. With the
reflexive access list, this is no longer necessary. Using the same access list
used in the "FTP Problems Revisited with the Reflexive Access List" section,
DNS return traffic is handled dynamically. Because the outgoing connection
is aware of the ephemeral port that the DNS request is using, the dynamically
created ACL can reflect (pardon the pun) that information, making a much
more secure access control list.
Trouble in Paradise: Problems with Reflexive Access Lists
Yes, just when you thought you had found the panacea of packet filtering, the
disclaimer comes about. Even reflexive access lists aren't perfect. However,
due to the dynamic nature by which they are created and deleted, they are
much more difficult to pass than other packet filters. One reset packet is all
that is required to entirely remove a reflexively generated ACL.
Another issue with reflexive access lists is that they keep no record of TCP
flags, so initial traffic could flow in without an alarm being sounded. How
feasible is this? Look at the following example:
permit tcp host 100.100.100.1 eq 23 192.168.100.2 eq 1072
This way, controls exist for the types of traffic leaving the network. However,
if the virus or Trojan happens to use one of these popular traffic types, you
are just as vulnerable. This is why it is important to deploy extra layers of
defense, such as virus checkers and host firewall defenses. Despite the fact
that reflexive ACLs can be a more effective means to defend your network
using dynamically generated host and port access lists, they still have the
inherent limitations of packet-filtering technology that need to be considered
before choosing them as your protection method of choice. They also put
more of a burden on your router than static ACLs, so implement them with
caution.
For two complete examples of reflexive access lists, refer to Appendix A,
"Cisco Access List Sample Configurations."
Cisco IPv6 Access Lists
With the advent of IP version 6, Cisco access lists have changed. IPv6
extended access list support started to be accommodated for in IOS versions
12.0(23)S and 12.2(13)T or later. Previously there were limited IOS versions
that supported features similar to standard access list functionality for IPv6,
only allowing filtering based on source addressing. The IPv6 extended access
lists, though similar to their IPv4 predecessors, require slightly different
commands. Because IPv6 is not backward compatible with IPv4, new
commands needed to be created for IPv6-related functions.
Access lists are still created in config mode, but the process of creating an
IPv6 access list is instead started with the following command:
Router(config)#ipv6 access-list name
Here, name is some descriptive name for the IPv6 access list. This will place
you into IPv6 access-list configuration mode. The prompt will change to look
like this:
Router(config-ipv6-acl)#
38
Now permit or deny access list statements can be added. Here is an example
of a permit statement for this access list:
It follows the same format as IPv4 extended access lists permit or deny,
followed by protocol identifier. Supported keywords include ipv6 for layer 3
access lists using IPv6 addressing, along with protocol identifiers ahp, esp,
tcp, udp, pcp, stcp, and icmp. This is followed by the source and
destination address in IPv6 format, and the any and host keywords can still
also be used. This version of access list can accommodate the double-colon
abbreviation, as shown in the example. One minor difference in the source
and destination address notation is the new way the subnet mask is entered.
Instead of listing out the value of the subnet mask, as was commonly done
with IPv4, it is now shown as /xxx where xxx is some number between 0
and 128. This number represents the number of bits in the subnet mask. The
entry can be ended with a trailing keyword. It can be any of the trailing
keywords used in IPv4, with the exception of keywords that only refer to
IPv4 features (tos and precedence). Also, there are several new keywords
to accommodate IPv6 features. IPv6 extension header information can be
filtered with the flow-label and routing keywords. Also, the sequence
keyword allows similar functionality to the IPv4 named access list feature of
the same name. However, in IPv6 lists, the sequence keyword is added after
the list instead of at the beginning:
permit tcp any any sequence 5
IPv6 extended access lists also have support for reflexive access list
capability with the use of the reflect keyword. This functionality is
identical to IPv4 reflexive access lists.
IPv6 access lists are displayed using the following command:
Router# sh ipv6 access-list name
The name option can be left off to display all IPv6 access lists.
As IPv6 continues to be more and more supported throughout the Internet,
understanding IPv6 access list features will become a crucial part of securing
your network environment.
39
Summary
Throughout this chapter, we've discussed the many ways that packet filtering
can be used as a means to secure the perimeter. We discussed the positive and
negative points of using a packet filter as the means to control traffic flow
based on address and port, and the weaknesses of the packet-filtering
technology. We also discussed the improvement of packet-filtering
technology through the use of dynamic packet filters.
Despite weaknesses in the packet filter's capability to track information and
understand what it is tracking, it still has many uses that can make it a
valuable part of your perimeter defense. Filters can be utilized to screen out
unwanted traffic at the perimeter, to prevent possibly dangerous traffic from
leaving your network, and even to tailor incoming traffic that is allowed.
Packet filters can be used in conjunction with other firewalls as a layer of an
intricate defense-in-depth posture or as a standalone solution in lower-risk
areas or where budgets are tight. After all, protection of information is a
balancing act between the value of the data and the cost to protect it.
Packet-filtering technology can be a useful means to protect your network as
long as you implement it with due consideration to its strengths and
weaknesses.
References
40