---restore content starts---
Reference: "Hacker attack drills" second Edition Ed Skoudis Tom Liston
1. Traditional packet filters
It can also be implemented on routers, primarily around a single packet. The device parses the packet to determine whether the packet is to be discarded.
This is usually determined by the source IP address and destination IP address or port number, as well as the TCP control bit.
If a packet has an placed SYN bit, it means that it is part of the connection initialization, and if it has an ACK bit set, it is part of the established connection.
Packet filters have their own filtering rules, and each rule formulates whether a particular type of packet is accepted or discarded.
When matching, there are two methods of matching: Best match, first match.
The idea for the first match is as follows: The device receives the packet, starts the scan rule, and the first rule that matches the packet is applied. The common format is to first list the available packets, and finally add a drop rule that matches all the packets.
Key benefits: Faster processing, fast decision whether to discard or accept a packet. Widely used in internal network routers and border routers that connect LAN to the Internet
Major drawback: There is little understanding of what the packet actually does, and it is impossible to tell whether the incoming packet is a response to a Web request or an attack. The UDP packet has the same problem because there is no control bit. Attackers can easily filter through.
2. Status Packet filter
Upgraded from a traditional packet filter-there is a memory function that remembers the packets previously passed through the device and makes decisions based on the memory behind the packets.
Inside there is a data table that stores each active connection and other memory packets. Filters can make decisions based on packet filtering rules and the state table itself.
When a portion of a packet of TCP packets with a SYN control bit is sent, the state table remembers it. When a new packet attempts to pass through the device, the filter also looks at the status table in addition to the static rules.
If the rule stipulates that only part of the previous connection can pass through the filter, if there is a SYN packet previously, the ACK can pass through the filter, otherwise the ACK is discarded.
The hacker's wretched thought is again thick line: if the packet with ACK can pass through the filter, then I can use the tool to generate such a packet, keep sending packets to the target scatter ~
--So the state packet filter also has a setting: Memory of a SYN packet, often between 10S and 90S, after which the SYN packet is invalidated and the ACK packets sent are discarded.
On the other hand, the state filter also remembers SYN packets destined for external requests, and if an ACK packet comes from a system and corresponds to a SYN entry, it is allowed to enter the network. If there is no corresponding SYN entry, the packet is discarded.
For UDP, only the previous out-of-office packet exists, allowing incoming UDP packets to pass through.
For FTP, transfer requires two connections: FTP control connection and FTP data connection. You can configure the status filter to allow FTP data connections only after the FTP control connection has been established.
The main drawback: slow data, but custom-made chip, can compensate for this shortcoming to some extent
Key Benefits: Improved security
3. Agent-based firewalls
Agents are located in the application layer, exhaustive search protocol, no ACK attack problems encountered by traditional packet filters, because ACK is not part of a meaningful application request (--not understood).
An agent-based firewall can comb application-level protocols. For example, a Web proxy can ensure that all information is properly formatted with HTTP, and not just check to make sure that they are going to destination TCP port 80.
The agent can allow or deny application-level functionality. For FTP, the proxy can allow FTP GET, deny FTP PUT, allow users to download, deny user uploads
Major drawback: slower and requires CPU overhead and memory overhead
4. Network-based intrusion prevention system
Monitor packets that flow through the network and match a set of flags.
---restore content ends---
"Web Security" IV: Firewall Technical notes