Internet & Intranet Security

8.3 PACKET-FILTERING PRODUCTS

As mentioned in Section 8.2, a steadily increasing number of commercial router products (e.g., Cisco Systems, Nortel Networks, and 3Com) provide support for packet filtering, and these routers are commonly referred to as screening routers. In either case, it is always a good idea to disable IP source routing on a screening router. Whether IP source routing can be disabled at all, whether it is enabled or disabled by default, and how to disable it vary from product to product. For example, for a Cisco router, one can usually disable source routing by using the command no ip source-route. Other vendors use a similar command syntax.

In addition to screening routers, there are several tools and utilities available on the Internet that can be used for IP packet filtering:

• For example, the screend software package was originally designed and developed by Jeff Mogul [1] and is now being maintained by Paul Vixie. The screend package provides a daemon and kernel modifications to allow all packets to be filtered based on source IP address, destination IP address, or any other byte or set of bytes in the packet. The software works on most systems that use Berkeley-style networking in the kernel, but requires some kernel modifications.

• Similarly, there are several PC-based packet-filtering products available that are not able to route IP packets and therefore act as a bridge between the network segments they interconnect. Probably the two most widely used and deployed examples are Drawbridge and KarlBridge.

  • Drawbridge comes along with the copyrighted but publicly and freely available Texas A&M University (TAMU) security tools [11].^[5]

  • The KarlBridge has evolved from a simple PC program that was originally written by Doug Karl at Ohio State University. Karl later cofounded Karl-Net, Inc.^[6] to commercialize the program and to develop and market similar products.

Installation and configuration of Drawbridge and the KarlBridge are described in [12] and are not further addressed in this book.

• Finally, there is an increasingly large number of software packages that include packet-filtering capabilities as an additional feature. For example, the latest version of PGP (i.e., PGP Desktop Security 7.0) incorporates a personal firewall that can also be configured to implement an IP packet filter.

Today, it is more and more common to have packet-filtering capabilities built into (network) operating systems. Systems running Windows NT or Windows 2000 can be configured to implement quite sophisticated packet-filtering rules. For example, in the case of Windows NT, you start with the Control Panel and press the Network icon. On the Network Protocols panel illustrated in Figure 8.1, you press the Properties button and come to the IP Address panel as illustrated in Figure 8.2. On the bottom right of this panel, there is an "Advanced…" button. If you press this button, you come to the Advanced IP Addressing panel illustrated in Figure 8.3. Finally, if you click the "Configure…" button on the bottom left, you are able to configure Windows NT's packet-filtering rules in a window similar to the one illustrated in Figure 8.4. In this TCP/IP Security panel, it is possible to collectively or selectively permit TCP and UDP ports, as well as IP protocols. The use of this panel is intuitive and need not be further explained in this book.

Figure 8.1: The Network Protocols panel of Microsoft NT. © 2000 Microsoft Corporation

Figure 8.2: The IP Address panel of Microsoft NT. © 2000 Microsoft Corporation

Figure 8.3: The Advanced IP Addressing panel of Microsoft NT. © 2000 Microsoft Corporation

Figure 8.4: The TCP/IP Security panel of Microsoft NT. © 2000 Microsoft Corporation

^[5]You may refer either to ftp://net.tamu.edu/pub/security/TAMU/ (using FTP) or to http://www.net.tamu.edu/ftp/security/TAMU/ (using HTTP).

^[6]http://www.karlnet.com