filter
Click on the red underlined text to get to the source
... security complexity can grow exponentially with the
number of services provided. Filtering routers need to be modified
to support the new protocols ...
... to support the new protocols. Some protocols are inherently
difficult to filter safely (e.g., RPC and UDP services ...
... device. Firewalls are typically built using two different
components, filtering routers and proxy servers.
...
... and "routes" it to its destination on network B. A filtering router
does the same thing but decides not only how to route ...
... whether it should route the packet. This is done by installing a
series of filters by which the router decides what to do with any
given packet of data.
...
... version is outside the scope of this
document. However, when evaluating a router to be used for filtering
packets, the following criteria can be important when implementing a
filtering ...
... filtering
packets, the following criteria can be important when implementing a
filtering policy: source and destination IP address, source and
destination ...
... flow (i.e.. A-
>B or B->A). Other information necessary to construct a secure
filtering scheme are whether the router reorders filter instructions
...
... filtering scheme are whether the router reorders filter instructions
(designed to optimize filters, this can sometimes change the meaning
...
... router reorders filter instructions
(designed to optimize filters, this can sometimes change the meaning
and cause unintended access), and whether it is possible to apply
filters ...
... filters, this can sometimes change the meaning
and cause unintended access), and whether it is possible to apply
filters for inbound and outbound packets on each interface (if the
router ...
... interface (if the
router filters only outbound packets then the router is "outside" of
its filters ...
... filters only outbound packets then the router is "outside" of
its filters and may be more vulnerable to attack). In addition to
the router ...
... the router being vulnerable, this distinction between applying
filters on inbound or outbound packets is especially relevant for
routers with more than 2 interfaces ...
... interfaces. Other important issues are the
ability to create filters based on IP header options and the fragment
...
... fragment
state of a packet. Building a good filter can be very difficult and
requires a good understanding of the type of services (protocols)
...
...
For better security, the filters usually restrict access between the
two connected nets to just one host, the bastion host ...
... Internet, but not be able to "put" internal files on a remote server.
By contrast, a filtering router could either block all FTP access, or
...
... Network(In) Security Through IP Packet Filtering", USENIX: Proceedings of the Third UNIX Security Symposium, Baltimore, MD ...