Monday, April 7, 2008

Filtering on IP Addresses

To briefly review, the IP protocol is used by other higher-level protocols (such as TCP and UDP) to provide a connectionless best-effort data-delivery service. To do so, the IP datagram encapsulates the TCP or other protocol segment by adding source and destination addresses, port numbers, and other header information before sending the datagram farther down the protocol stack, where it is eventually transmitted on the wire bit-by-bit by the physical components of the network.

Routers can be configured easily to examine the contents of the IP header and drop packets that don't match a set of rules that the network or firewall administrator configures on the router. Perhaps the most obvious example is to filter out packets arriving from the Internet that have a source address that falls within the same network address range used on the internal network. Because such a packet, if it were indeed valid, would have to originate inside the network, it shouldn't be coming in from the outside! It is easy to forge IP packets so that the source address, as well as other header information, can be set to anything a hacker desires. A lot of programs are freely available on the Internet to do this.

When a packet with a source address is sent into your network, it's more likely that the destination server or workstation in your network will accept it as a valid packet, thinking it's coming from a user on the local network, and the packet will be processed as usual. Using this method, it's easy to get packets into your network and actually have them delivered, when they should not be.

Internet 2010

This is only one example of a good reason to filter packets based on the IP addressing information in the packet header. Because addresses can be forged, and because it's not practical to list all the millions of addresses that are allocated to computers on the Internet and pick and choose, you need to be cautious when using this kind of specific filtering. For example, suppose your network becomes the subject of a denial-of-service attack. You can use a network analyzer to discover the source addresses of the packets, and quickly insert a rule in the router (or firewall product) database that drops all packets that come from the network from which those packets are coming.

Filtering Based on Protocols

In the IP packet, a field is used to indicate the type of protocol the packet is carrying data for. For example, if the IP packet is carrying TCP data, the protocol field in the IP head& is 6. If it's carrying an ICMP (Internet Control Message Protocol) message, the protocol number is 1. The capability to filter out certain protocols is useful because many of the protocols in use on the Internet were created many years ago when security was not as much of an issue as it is in today's commercial Internet.

Take ICMP, for example. The Ping utility makes use of ICMP packets to determine whether another host is reachable. An ICMP ECHO REQUEST packet is sent to the address of the host computer in question. If it receives the packet, the destination computer sends back an ICMP ECHO REPLY packet. Sounds simple and safe, doesn't it? Well, it is simple, but not necessarily safe. Inside your network, Ping can be a useful tool for quickly determining that somewhere along the network path something is wrong and a computer is not reachable, whether the destination you are pinging is inside your network or on the Internet.

However, just as you wouldn't give out your credit-card number to a stranger, it's not a good idea to give out any information about your network, especially the addresses of the computers on the network, to an outsider. And, that's exactly what the ping command can do. It's easy to write a program that sits back and cycles through a range of IP addresses, sending out ICMP ECHO REQUEST packets and looking to see what replies come back. This saves a malicious hacker time because he now knows that an IP address is in use and can proceed to further try to intrude and compromise the system. Because automated tools are available for continuing the hacker's probe, it's imperative that you keep your network address information secret.

If you've ever received those boring telemarketing calls during the early evening hours, you can understand how this works. The telemarketers just cycle through phone numbers until they get someone to pick up the phone and answer. Allowing ICMP ECHO REPLY packets to respond to requests from outside your network is the equivalent of picking up the phone. Although you can hang up on a telemarketing call, after a hacker has your network address, she can always try back later when you're not around and use a wile variety of tools to probe your system to determine what is needed to get inside.

For this reason, it's usually a good idea to block incoming ICMP ECHO REQUEST packets. You probably don't want to block outgoing packets of the same sort, because they serve a useful purpose. You can allow users inside your network to Ping other servers on the Internet. For example, suppose you want to place an order with a business that has a website, yet it doesn't pop up in your browser when you try to get to its home page. You can use Ping to determine whether the business's computer is on the Net and functioning, and then from there start your troubleshooting efforts to find out why you can't bring up the business's Web page. If you Ping the site and get no response, you can be sure that either it's down or somewhere along the network path a router or another device is not letting traffic get through.

The same goes for you if you offer a service on the Internet. However, in such a case, you should make sure that your Web servers are highly secured and located on a network segment that can limit the damage should these servers be compromised. This network segment is called a demilitarized zone (DMZ).

Another utility that uses ICMP is Tracert. This command probes the network path and returns a list of all the routers and other intermediary devices it passes through to get to a destination address. Again, this is a useful tool when used properly, but you should block this sort of packet at your firewall. Do you want outsiders to know the addresses of routers and other devices on your network? After an outsider has the address and knows that a computer is online using that address, it's easy to use one of the many hacker tools available on the Internet to begin breaking into the computer.

No comments:

Internet Blogosphere