Understanding Packet Filtering

1
Understanding Packet Filtering

• Packet filtering lets you control which data
  packets can enter a computer, based on
  Transmission Control Protocol/Internet Protocol
  (TCP/IP) criteria such as port and protocol
  numbers.
• The system examines each packet arriving over the
  network interface and either admits it or
  discards it based on the values of specific
  fields in the protocol headers.
• Packet filters can be inclusive or exclusive,
  meaning that the filter configuration you create
  can specify either that traffic be blocked or be
  permitted.

2
Windows 2003 Packet Filtering

• Packet filtering is a security technique commonly
  used by routers or by dedicated firewalls that
  are used to isolate a private network from the
  Internet.
• Microsoft Windows 2003 has rudimentary packet
  filtering capabilities built into its TCP/IP
  client that you can use to protect an individual
  computer.
• The Windows 2003 Routing and Remote Access
  Service (RRAS) includes a more comprehensive
  packet filtering mechanism that you can use to
  set filters for specific network interfaces and
  for incoming or outgoing traffic.

3
Packet Filtering Characteristics

• Hardware addresses. Packet filtering based on
  hardware addresses enables only certain computers
  to transmit data through the filter.
• Internet Protocol (IP) addresses. You can use IP
  address filtering to permit only traffic destined
  to, or originating from, specific addresses to
  pass through the filter.
• Protocol identifiers. Windows 2003 can filter
  packets based on the Protocol field in the IP
  header, enabling only certain protocols to enter
  the system.
• Port numbers. Packet filtering based on the
  source or destination port number enables you to
  be more specific about the types of traffic you
  allow into a computer or onto a network. This is
  called service-dependent filtering.

4
Potential Network Intrusion Techniques

• Packet capturing. The ability to capture packets
  as they travel over the network makes the data
  carried inside vulnerable to interception.
• Data modification. When unauthorized users
  capture packets, they can also modify the data
  and send it on to the original recipient.
• Spoofing. Spoofing is the process by which an
  unauthorized user masquerades as another user,
  typically by using the other users IP address.

5
Potential Network Intrusion Techniques (Cont.)

• Password compromise. Passwords transmitted either
  in clear text or encrypted form can be used to
  penetrate network security.
• Denial of service attacks. Deliberately flooding
  a network or computer with traffic can prevent it
  from performing its normal tasks.
• Key compromise. Unauthorized users can discover
  keys used to encrypt data in the same way that
  they discover passwords.
• Application layer attack. Vulnerabilities in
  applications can enable intruders to modify
  program or data files or to introduce damaging
  software, such as viruses.

6
Characteristics and Advantages of IPsec

• Because IP carries all application data on a
  TCP/IP network, IP security (IPsec) can protect
  all types of data and eliminate vulnerability to
  all types of attacks.
• The network layer of the Open Systems
  Interconnection (OSI) reference model (where IP
  operates) is the perfect place to situate an
  IPsec encryption mechanism.
• If you use IPsec to encrypt an IP datagram at its
  source, the datagram does not have to be
  decrypted until it reaches its final destination.
  
• Routers functioning as the intermediate systems
  in the internetwork communications process do not
  have to support IPsec.
• Applications do not need to be modified to use
  IPsec.

7
IPsec Security Functions

• Nonrepudiation. IPsec prevents users from denying
  that they sent a particular message and from
  masquerading as other users.
• Authentication. IPsec supports authentication
  mechanisms that enable a computer to verify the
  identity of another user before initiating
  communications.
• Antireplay. IPsec uses a technique called Cipher
  Block Chaining (CBC) to ensure that no two
  IPsec-encrypted packets are identical.
• Packet filtering. IPsec includes its own
  packet-filtering mechanism that lets
  administrators block traffic based on IP
  addresses, protocols, ports, or all three.
• Integrity. IPsec prevents intruders from
  modifying the contents of a packet by including a
  special signature called an integrity check value
  (ICV).

8
IPsec Protection

• An unauthorized user can capture IPsec packets as
  they are transmitted over the network, but that
  user cannot do any of the following
• Read a packets contents, because it is encrypted
  
• Modify a packets contents, because of the
  inclusion of a Hash Message Authentication Code
  (HMAC)
• Spoof a recipient by assuming another users
  identity, because of the authentication
  mechanisms
• Discover passwords and keys, or reuse packets
  that have not yet been decrypted, because of the
  CBC mechanism
• Inhibit network functionality using denial of
  service attacks, because of the packet-filtering
  capability

9
The AH Header Location in a Typical IP Datagram
10
The AH Header Format
11
An IP Datagram with the ESP Header and Trailer
12
The ESP Message Format
13
An IPsec Tunnel Mode Packet
14
Windows 2003 IPsec Administrative Elements

• The administrative elements of the Windows 2003
  IPsec implementation are
• The IPsec policies that specify when and how
  network communications should be protected by
  using IPsec
• The IP Security Policies console, a Microsoft
  Management Console (MMC) extension snap-in that
  you use to create and configure the policies

15
Windows 2003 IPsec Runtime Components

• IPsec Policy Agent Service. Accesses the IPsec
  policy information stored in the Active Directory
  service or the local system registry and forwards
  the information to the IPsec driver
• Internet Key Exchange (IKE). A protocol that
  IPsec uses to create a security association (SA)
  and agree on the keys that two systems will use
  to encrypt their data for transmission
• IPsec Driver. Responsible for performing the
  actual encapsulation, encryption, and
  verification processes required for secure
  communications

16
A Typical IPsec Communications Exchange

• 1. The user on Computer A is working in an
  application that generates a message to be sent
  to Computer B.
• 2. The IPsec driver on Computer A compares the
  outgoing messages destination IP address or
  protocol, or both, against the IP filter list in
  the currently active IPsec policy.
• 3. If policy specifies that communications
  between Computer A and Computer B should be
  secured, the IPsec driver instructs the IKE to
  commence negotiations with Computer B.
• 4. Computer Bs IKE receives a message from
  Computer As IKE requesting a secure negotiation.

17
A Typical IPsec Communications Exchange (Cont.)

• 5. The two computers negotiate a Phase 1 SA and
  two Phase 2 SAs, one inbound and one outbound.
• 6. The IPsec driver on Computer A calculates an
  integrity signature for the outgoing data,
  encrypts it, and constructs the IPsec packets by
  adding the appropriate fields to the IP
  datagrams.
• 7. Computer A transmits the completed packets to
  Computer B, which passes them to its own IPsec
  driver.
• 8. Computer Bs driver decrypts the data and
  verifies the packets integrity.
• 9. The IPsec driver on Computer B passes the
  decrypted data to the TCP/IP stack, which in turn
  passes it to the destination application.

18
Default IPsec Security Policies

• Client (Respond Only). Configures the computer to
  use IPsec security only when another computer
  requests it
• Secure Server (Require Security). Configures the
  computer to require IPsec security for all
  communications and to deny all connections to
  systems that do not support IPsec
• Server (Request Security). Configures the
  computer to request the use of IPsec security
  from all other systems but not to require it

19
IPsec Policy Elements

• IPsec policies are composed of three basic
  elements rules, IP filter lists, and filter
  actions.
• A rule is a combination of an IP filter list and
  a filter action that determines when and how
  security is to be used.
• A filter list is a selection of IP addresses,
  protocols, or ports, or a combination of the
  three, that identifies the computers to which the
  rule is to be applied.
• A filter action defines the type of security that
  is imposed when the rule is applied.

20
The Server (Request Security) Properties Dialog
Box
21
IPsec Default Filter Actions

• Permit. Allows the traffic specified by the
  filter list to proceed without requesting
  security of any kind
• Request Security (Optional). Causes the system to
  request security for the traffic specified by the
  filter list but enables it to proceed even if the
  other system does not support IPsec
• Require Security. Requires security for the
  traffic specified by the filter list and refuses
  communications with systems that do not support
  IPsec