<HTML><HEAD><TITLE>Chapter 13 -- How Filtering Routers Work</TITLE><META></HEAD><BODY TEXT="#000000" BGCOLOR="#FFFFFF" LINK="#0000EE" VLINK="#551A8B" ALINK="#CE2910"><H1><FONT SIZE=6 COLOR=#FF0000>Chapter&nbsp;13</FONT></H1><H1><FONT SIZE=6 COLOR=#FF0000>How Filtering Routers Work</FONT></H1><HR><P><CENTER><B><FONT SIZE=5><A NAME="CONTENTS">CONTENTS</A></FONT></B></CENTER><UL><LI><A HREF="#HowFilteringRoutersWork">How Filtering Routers Work</A></UL><HR><P>Often, routers are the first line of defense against unauthorizedaccess to an intranet. The only way that anyone outside the intranetcan get to the intranet is through a router, so it makes sensethat the router will be the first place to put security rulesinto place. Routers can also be used within intranets to preventinternal security breaches.<P>Routers examine every packet coming into and going out of an intranetand decide where to send those packets so that they can be deliveredto the proper address. They can control the type and directionof traffic permitted and essentially can also decide whether packetsshould even be delivered. In other words, they can block certainpackets from coming into or going out of an intranet.<P>When routers are used in this way-to protect an intranet by blockingcertain packets-they are called <I>filtering routers</I> or <I>screeningrouters</I>.<P>An intranet administrator establishes a filtering table that containsmany rules about which packets are allowed to pass and which areto be dropped. Each packet coming into and going out of an intranethas a number of layers of information in it. These layers containthe data being sent and information about the kind of Internetresource being used (FTP, Telnet, and so forth), the source addressand destination address of the packet, and other information.Filtering routers use the information in those layers to evaluatewhich rules in the filtering table apply to each packet. Whenpackets pass through the router, the router examines the packets,looks at the filtering table, and then decides which action totake. The * wild card can be used at the end of IP addresses,for example, to apply rules to entire subnets or servers.<P>Rules can differ for incoming packets and outgoing packets. Thismeans people inside the intranet can be given different levelsof access to services and data, and prevent people from outsidethe intranet from getting at intranet resources and data.<P>For example, a filtering router can allow people from inside anintranet to use Telnet, but not allow anyone outside the intranetto Telnet into the intranet. It can block specific source addressesfrom accessing the intranet. A filtering router distinguishesbetween input and output ports traffic. Even if someone hackedinto the IP header and forged an address to try to make it lookas if they were a legitimate user, the router would recognizethe address as an internal one coming in from the output port-acondition that could only be an attack and so the router woulddrop the packet.<H2><A NAME="HowFilteringRoutersWork"><FONT SIZE=5 COLOR=#FF0000>How Filtering Routers Work</FONT></A></H2><P>Filtering routers, sometimes called screening routers, are thefirst line of defense against attacks on an intranet. Filteringrouters examine every packet moving between networks on an intranetas well as from the Internet. An intranet administrator establishesthe rules the routers use to make decisions about which packetsshould be passed or dropped.<OL><LI>Different rules can be set up for incoming packets and outgoingpackets so that intranet users can be given access to Internetservices, while anyone on the Internet could be banned from accessingcertain intranet services and data.<LI>Filtering routers can keep logs about filtering activity.Commonly, they track packets not allowed to pass between the Internetand the intranet, which would indicate an intranet has been underattack.<LI>The router examines the data in the IP header which wrapsthe data and the transport layer header information. That meansthat any given packet will have data in it, as well as two setsof headers-one from the transport layer, and one from the Internetlayer. Filtering routers examine all these data and headers todecide whether to let packets pass.<LI>Source addresses are read from the IP header and comparedto the source address listings in the filtering tables. Certainaddresses may be known to be dangerous and including them in thetable allows the router to drop that traffic.<LI>Routers can have different rules for subnets since they mayrequire different levels of security. A subnet that containedhighly private financial or competitive information might havemany restrictions. An engineering subnet may have few restrictionson incoming or outgoing activities.<LI>A filtering router can allow users to have access to serviceslike Telnet and FTP, while restricting Internet use of these servicesto access the intranet. This same technique can be used to preventinternal users from accessing restricted data on an intranet.For example, it can allow finance members outgoing use of FTPwhile dropping FTP requests from the engineering department intothe finance department.<LI>Certain kinds of services are more dangerous than others.For example, FTP is used to download files but may bring filescontaining a virus. Telnet and the <I>rlogin</I> command (likeTelnet but with a greater risk for security break-ins) are bannedby rules in the filtering table that evaluate this type of serviceby the source or destination port number. Telnet addresses port23, and rlogin port 513.<LI><I>Address spoofing</I> is a common method of attack. In addressspoofing, someone from outside the intranet forges a source addressso that it looks to a router as if the source address is reallysomeone from inside the intranet. The spoofer hopes to trick thefiltering router into allowing greater access to the intranetthan would be allowed an external originating address. Once therouter was convinced that the spoofer was already inside the intranet,private files potentially could be sent outside the intranet.<LI>Filtering routers have a way of handling address spoofing.A rule can be established that tells the router to look at thesource address in every incoming-but not outgoing-IP header. Ifthe source address is internal, but the packet is coming fromoutside the intranet, the router would drop the packet.</OL><HR><CENTER><P><A HREF="ch12.htm"><IMG SRC="PC.GIF" BORDER=0 HEIGHT=88 WIDTH=140></A><A HREF="#CONTENTS"><IMG SRC="CC.GIF" BORDER=0 HEIGHT=88 WIDTH=140></A><A HREF="contents.htm"><IMG SRC="HB.GIF" BORDER=0 HEIGHT=88 WIDTH=140></A><A HREF="ch14.htm"><IMG SRC="NC.GIF" BORDER=0 HEIGHT=88 WIDTH=140></A><HR WIDTH="100%"></P></CENTER></BODY></HTML>