How does a packet filters work?

Packet filtering is cheap to implement. It should be understood that a packet filtering device does not support the same level of security as an application or proxy firewall. All except the most trivial of IP networks is composed of IP subnets and include routers. Each router is a potential filtering point. Because the value of the router has been absorbed, more cost for packet filtering is not needed.

Packet filtering is suitable where there are simple security requirements. The internal (private) networks of some organizations are not highly segmented. Highly sophisticated firewalls are not essential for isolating one element of the organization from another. However it is prudent to support some sort of protection of the production network from a lab or experimental network. A packet filtering device is a very appropriate measure for supporting isolation of one subnet from another.

Some packet filters function in the same common pattern. It is working at the network layer and transport layer of the TCP/IP protocol stack, each packet is examined as it enters the protocol stack. The network and transport headers are examined closely for the following data which are as follows −

Protocol (IP header, network layer) − In the IP header, byte 9 (the byte count starts with zero) recognizes the protocol of the packet. Some filter devices have the capability to differentiate between TCP, UPD, and ICMP.

Source address (IP header, network layer) − The source address is the 32-bit IP address of the host which produce the packet.

Destination address (IP header, network layer) − The destination address is the 32-bit IP address of the host the packet is designed for.

Source port (TCP or UDP header, transport layer) − Each end of a TCP or UDP internet link is bound to a port. TCP ports are separate and specific from UDP ports. Ports numbered below 1024 are reserved and they have a categorically defined use.

Ports numbered above 1024 (inclusive) are called as ephemeral ports. They can be used a vendor select. For a list of “well known” ports, define as RFP1700. The source port is a pseudo-randomly defined ephemeral port number. Therefore it is not very helpful to filter on the source port.

Destination port (TCP or UDP header, transport layer) − The destination port number denotes a port that the packet is sent to. Each service on the destination host accept to a port. There are various famous ports that can be processed are 20/TCP and 21/TCP-FTP connection/data, 23/TCP-telnet, 80/TCP-http, and 53/TCP-DNS zone transfers. ·

Connection status (TCP header, transport layer) − The connection status communicate whether the packet is the first packet of the network session. The ACK item in the TCP header is set to “wrong” or 0 if this is the first packet in the session. It is simple to disallow a host from creating a connection by rejecting or discarding some packets which have the ACK bit set to “false” or 0.