1. Packet Filtering Introduction
This tutorial will talk about packet filtering. First we must define what packet filtering is. Packet filtering is a process of allowing or blocking packets at an arbitrary layer of OSI: physical, data-link, network, transport, session, presentation or application layer. More about OSI can be read on the Wikipedia page. Usually we're talking about allowing/blocking packets on a network layer, which contains an IP header. The following picture of an IP header was taken from Wikipedia :
In the picture we can see the representation of the IP header. The IP header is used for routing packets through the Internet, because it contains the most important information of all protocol headers, which include the following fields:
- Source IP Address [32-bit]: The IP address where the packet originated.
- Destination IP Address [32-bit]: The IP address where the packet is going.
Of course the IP header belongs to an IPv4 protocol, but there is also IPv6, which contains the same information, except that both source and destination IP addresses are 128-bits in length. But we're not limited to IPv4 and IPv6, which are used for routing the packets through the Internet. There are also other protocols that hold the source and destination address of each packet – like TODO.
We must also take a look at another protocol that is above the IP protocol, the TCP protocol, which is used to reliably deliver all the packets that belong to the same packet stream. The TCP header is outlined in the next picture – taken from :
Important pieces of the TCP protocol header are the following fields:
- Source port: from which port the packet was sent.
- Destination port: to which port the packet is going.
- Flags: URG, ACK, PSH, RST, SYN, FIN, read more on .
Outlined fields in the IP/TCP protocols are the most commonly used pieces of information to monitor when packet filtering is in use. Packet filtering looks at source IP address, destination IP address, source port number, destination port number, flags and other information to decide whether some packet should be accepted or rejected. Usually, packet filtering is also smart enough to remember previous packets that are all analyzed together to decide if a packet is considered malicious and is rejected/dropped, or if it should be passed through.
2. Capabilities of a Packet Filter
A packet filter has to have the following capabilities:
- Examination of each packet data and headers.
Each packet is examined when it comes to the packet filter. This is done with the help of filtering rules defined in the next point.
- Set of rules which define what to do with the packet.
These rules define what a packet filter should look for when it receives a packet. It usually looks for the information we've already talked about, like source IP address, destination IP address, source port number, destination port number, etc.
- What actions are taken based on the result of examination.
There are numerous actions which can be used when a packet filter receives a packet and has filtering rules defined. Based on defined filtering rules, a packet filter can do the following:
- a. Accept only packets that are certainly safe – based on a set of rules. Drop all other packets.
- b. Drop only packets that are certainly unsafe – based on a set of rules. Accept all other packets.
- c. If a packet is received for which there is no filtering rule defined, ask a user what to do with it.
- d. Block a user coming from a defined source IP address, because too many packets were received in too short of a time window.
- e. Almost any action can be applied against a packet or a set of packets – the sky is the limit. If we want to send a HTTP response, which includes "Hello, my name is Santa Claus" to every HTTP request coming from IP xxx.xxx.xxx.xxx, we could define a rule that could do that.
3. Packet Filtering Security Categories
We can present an overview of packet filtering with the following picture:
We can see that we can divide abstract term packet filtering into more specific terms that are used throughout the information security field. Hereafter we'll describe each of the components of the picture to get a better understanding of each component. I've divided the packet filtering abstract definition into the following components:
First I must mention that there has already been an introduction to IPS/IDS/Firewall on InfosecInstitute, including their capabilities and differences: Intrusion Prevention System: First Line of Defense. To summarize the important observation from that article: "a firewall is used to allow or block traffic, whereas an IPS's job is to determine if there is something malicious in the traffic allowed by the firewall". So IDS/IPS is really not a replacement for a firewall and the other way around, instead, those tools must be used in conjunction to implement in-depth defense.
A firewall can either be software-based or hardware-based and is used to help keep a network secure. Its primary objective is to control the incoming and outgoing network traffic by analyzing the data packets and determining whether it should be allowed through or not, based on a predetermined rule set. A network's firewall builds a bridge between an internal network that is assumed to be secure and trusted, and another network, usually an external (inter)network, such as the Internet, that is not assumed to be secure and trusted .
2. IDS (Intrusion Detection Systems)
An intrusion detection system can be software-based or hardware-based and is used to monitor network packets or system for malicious activity and do a specific action if such activity is detected. Usually, if malicious activity is detected on the network, the source IP of the malicious traffic is blocked for a certain period of time, and all of the packets from that IP address will be rejected.
There are several types of intrusion detection systems:
- Network intrusion detection system (NIDS)
NIDS detects malicious activity by monitoring and examining network traffic. This type of IDS usually runs when packets enter a specific network on a special hardware component whose only job is to monitor and accept/reject packets from the Internet and let them into the local network. Example: Snort.
- Host-based intrusion detection system (HIDS)
HIDS detects malicious activity by monitoring and examining system calls, application logs, access control lists, etc. HIDS usually contains a software agent that needs to be installed on the operating system. Examples: Tripwire, OSSEC.
- Wireless intrusion detection system (WIDS)
WIDS monitors wireless network for malicious behavior, which can be the number of packets sent in a time window, too many deauthentication packets, too many broadcast requests, etc. WIDS usually run on an AP (Access Point) and doesn't allow certain users to connect to it if malicious activity is detected.
- Network behavior analysis (NDA)
NDA monitors network traffic passively to detect unknown and unusual patterns that might be a threat. It should be used together with the firewall as well as other types of IDS systems.
3. IPS (Intrusion Prevention Systems)
The intrusion prevention system is basically an upgrade of intrusion detection system. Where the IDS is used to detect and log the attack, the IPS is used to detect, block and log the attack. The IPS systems are able to prevent certain attacks while they are happening. There are multiple versions of the IPS systems, but we won't describe them in detail, since they are the same as with IDS systems, with the exception that all of the types of IPS system also prevent the attack from continuing. The types of IPS systems are: NIPS, HIPS, WIPS, NDA.
4. SIEM (Security Information and Event Management)
With SIEM we can monitor security alerts generated by various software or hardware solutions that are used for detecting malicious activity. SIEM consists of:
- SIM (Security Information Management): provides the analysis and reporting of the logged data.
- SEM (Security Event Management): provides monitoring and correlation of events.
A SIEM gathers information/data at a single point and provides a human-readable security report about the malicious behavior that is happening in our network – a SIEM solution must work in real time, so we can secure our network in a timely fashion. What would happen if we received a report about a security breach that is a month old – it wouldn't help us a lot, since the attacker is probably long gone with all the data that he needed.
SIEM capabilities are the following – summarized from :
- Data Aggregation: provides means to join data together from many sources: network, servers, databases, applications.
- Correlation: correlates data into meaningful sets to learn something new from it.
- Alerting: analysis of correlated events and alerting the recipients of detected security issues.
- Dashboards: provides means to present data in meaningful charts.
- Compliance: automatically gather all the needed data and produce reports.
- Retention: provides long-term storage of historical data for later analysis.
SIEM also implements log monitoring and analysis frontend, but we've nevertheless pointed them out as an independent points in the above picture, because other tools can be available just for that. We can also write our own script that would take the logs and report some malicious activity.
5. Log Monitoring and Analysis Frontend
We can't ignore the analysis frontend, which is also an important part of the overall picture, since this is the tool we use to look at the malicious activity that happened on out network. There are quite a few frontends available and they are listed here:
Prelude is a universal SIEM system that collects, archives, normalizes, sorts, aggregates, correlates and reports all security related events .
OSSIM can also be classified as SIEM, but it also includes other features.
Sguil is a network security analysis and frontend tool. It provides a graphical user interface that provides realtime access to gathered data.
Prewikka is a graphical front-end analysis console for the Prelude.
 OSI Model, accessible on http://en.wikipedia.org/wiki/OSI_model.
 Ipv4; accessible on http://en.wikipedia.org/wiki/IPv4_header#Header.
 Transmission Control Protocol, accessible on http://en.wikipedia.org/wiki/Transmission_Control_Protocol.
 Oppliger, Rolf (May 1997). "Internet Security: FIREWALLS and BEYOND". Communications of the ACM 40 (5): 94.
 Security information and event management, accessible on http://en.wikipedia.org/wiki/Security_information_and_event_management.
 Prelude, accessible on http://www.prelude-technologies.com/en/solutions/universal-siem/index.html.