562 Chapter 15: Network Security Technologies
Packet filtering can be done by permitting only "established connections" to enter from the
outside back in to the customer network. Because TCP requires an acknowledgment (ACK) to
be set, as soon as the internal user initiates a connection at the workstation, the returning packet
should have the ACK bit set and can continue on its way to the host PC. Any connection
initiated from the outside would not have the ACK bit set and would be denied entry into the
network. This is quite common. Packet filtering is integrated in all the Cisco routers but has
limited functionality. The router can be set to filter by the following:
·
Source and destination network address
·
Source and destination port number
·
Protocol type
TIP
Place extended access lists closest to the source. Place standard access lists closest to the
destination.
Packet-filtering firewalls have other benefits. They do the following:
·
Support network address translation (NAT)
·
Log access-list violations
·
Filter multiprotocol (IP, IPX, DECnet, AppleTalk, and others)
TIP
Secure the perimeter router. This is a good idea as a first line of defense and to guard against
denial-of-service attacks.
Packet-filtering firewalls also have disadvantages:
·
Complex rules are difficult to configure, implement, and manage.
·
Some applications (those that require dynamic ports) cannot be secured completely.
·
Packet-filtering firewalls do not scale well.
TIP
A design rule of thumb is to block all UDP traffic from the Internet, unless a specific service
needs to be allowed in.
87200333.book Page 562 Wednesday, August 22, 2001 1:41 PM