Packet Filtering

Packet filtering, sometimes called static packet filtering, controls access to a network by analyzing the incoming and outgoing packets and passing or halting them based on stated criteria.
A router acts as a packet filter when it forwards or denies packets according to filtering rules. When a packet arrives at the packet-filtering router, the router extracts certain information from the packet header and makes decisions according to the filter rules as to whether the packet can pass through or be discarded. Packet filtering works at the network layer of the Open Systems Interconnection (OSI) model, or the Internet layer of TCP/IP.
As a Layer 3 device, a packet-filtering router uses rules to determine whether to permit or deny traffic based on source and destination IP addresses, source port and destination port, and the protocol of the packet. These rules are defined using access control lists or ACLs.

Recall that an ACL is a sequential list of permit or deny statements that apply to IP addresses or upper-layer protocols. The ACL can extract the following information from the packet header, test it against its rules, and make "allow" or "deny" decisions based on:
Source IP address
Destination IP address
ICMP message type

The ACL can also extract upper layer information and test it against its rules. Upper layer information includes:
TCP/UDP source port
TCP/UDP destination port

Packet Filtering Example
To understand the concept of how a router uses packet filtering, imagine that a guard has been posted at a locked door. The guard's instructions are to allow only people whose names appear on a list to pass through the door. The guard is filtering people based on the criterion of having their names on the authorized list.
For example, you could say, "Only permit web access to users from network A. Deny web access to users from network B, but permit them to have all other access." Refer to the figure to examine the decision path the packet filter uses to accomplish this task.
If the packet is a TCP SYN from network A using port 80, it is allowed to pass. All other access is denied to those users.
If the packet is a TCP SYN from network B using port 80, it is blocked. However, all other access is permitted.
This is just a simple example. You can configure multiple rules to further permit or deny services to specific users. You can also filter packets at the port level using an extended ACL, which is covered in Section 3.


Post a Comment


NBA Live Streaming. Copyright 2008 All Rights Reserved Revolution Two Church theme by Brian Gardner Converted into Blogger Template by Bloganol dot com | Distributed by Blogger Templates Blog