What is Packet Filtering Firewall?
A packet filtering firewall is the most basic type of firewall that controls data flow to and from a network. It is a network security solution that allows network packets to move across between networks and controls their flow using a set of user-defined rules, IP addresses, ports, and protocols. Packets are routed through the packet filtering firewall only if they match predefined filtering rules; otherwise, they are declined.
The main benefits of packet filtering firewalls are that they are fast, cheap, and effective. The static packet filter has no discernible influence on speed, and its low processing requirements made it an appealing alternative from the start when compared to other firewalls that slowed responsiveness. Higher-level firewalls, on the other hand, provide outstanding performance. The security they provide, however, is rudimentary. They are unable to protect against malicious data packets arriving from trusted source IPs because they lack the necessary packet inspection capability. Also, because they are stateless, they are vulnerable to source routing and tiny fragmentation attacks. Another disadvantage of packet filtering firewalls is the difficulty in configuring and managing access control lists. Despite their shortcomings, packet filtering firewalls paved the way for today's firewalls, which provide better and deeper security.
In this article we will cover the following topics:
- How Does Packet Filtering Firewall Work?
- What is Packet Filtering Used For?
- What Are The Types Of Packet Filtering?
- What are the Advantages and Drawbacks of Packet Filtering Firewall?
- How much does a Packet Filtering Firewall Cost?
- What is Packet Filtering Firewall Example?
- Comparison of Packet Filtering Firewalls with other firewall types, such as Proxy Firewalls, and Stateful Inspection Firewalls
How Does Packet Filtering Firewall Work?
On packet-switched networks, packets are structured data units. Because these networks break down communications into little bits, or packets, and transport them independently across the network, they can be fault-tolerant. Packages are reordered when they pass through the firewall and arrive at their destination in order to show their information accurately. Packet switching, when done effectively, maximizes network channel capacity, reduces transmission latency, and improves communication efficacy. Two significant components can be found in packets:
- Headers: Packet headers are used to send data to the correct destination. They contain elements of the internet protocol (IP), addressing, and any other information needed to deliver the packets to their destination.
- Payloads: Within the packet, the payload is the user data. This is the data that is attempting to reach its destination.
Packet filtering firewall permits or denies network packets based on the following specifications:
- Source IP address: The address from which the packet is being sent.
- Destination IP address: The destination address of the packet.
- Protocol: The session and application protocols that are used to transfer data(TCP, UDP, ICMP).
- Ports: Source and destination ports, ICMP types, and codes.
- Flags: Flags in the TCP header, such as whether the packet is a connect request.
- Direction: Incoming or outgoing.
- Interface: Which physical interface(NIC) the packet is traversing.
It examines access control lists (ACLs) to separate packets based on upper-layer protocol ID, source and destination port numbers, source and destination IP addresses, and packet transmission route. The firewall looks for information in the IP, TCP, or UDP headers and then decides whether to allow or block the packet based on the ACL. Also, after comparing the information with the ACL, the firewall can allow fragment-type packets.
The packets' passing is totally dependent on the packet filtering firewall's choice. it filters packets based on the security rules configured into the firewall. Firewall administrators create packet filtering firewall rules to prevent packet transmission and only allow packets that match specific IP addresses or ports. They can create rules that allow just packets intended for their IT services to pass through while rejecting all others.
Figure 1. How packet filtering firewall works
What is Packet Filtering Used For?
Controlling and monitoring network data to assure its validity and compliance is a key role of packet filtering firewalls. The performance of your systems may be improved, valuable assets can be protected, and operations can flow smoothly if you have functional network security.
In most cases, packet filtering is an effective defense against attacks from computers outside of an internal network (LAN). Packet filtering is considered a conventional and cost-effective method of security because most routing devices have incorporated filtering capabilities.
Only packet filtering firewalls, and only when put in specific areas in your network, can provide certain protections. It's strongly advised to reject all packets with internal source addresses - that is, packets that pretend to be originating from internal machines but are actually coming in from the outside - because such packets are frequently used in IP spoofing attacks. An attacker pretends to be coming from an inside machine in such attacks. This type of decision can only be made in a filtering firewall at the network's perimeter. Only a filtering firewall in the boundary can recognize such a packet by examining the source IP address and determining whether the packet originated on the internal network or on the external. This type of source address fraud is depicted in Figure 2.
Figure 2. Blocking IP address spoofing attack by packet filtering firewall
Typically, packet-filtering firewalls are employed in the following scenarios:
- When security regulations may be fully applied in a packet filter without the need for authentication: Packet-filtering firewalls can also be used to limit internal access between subnets and departments when authentication isn't required. In this case, you're concerned about restricting your users' access to specific internal resources; you're less concerned about sophisticated hacking attempts.
- As the first line of defense: Many businesses utilize packet-filtering firewalls as their first line of defense, with a fully functional firewall offering extra security.
- In SOHO networks with a low-security need and a limited budget: Packet-filtering firewalls are used by many SOHO networks due to their ease of use and low cost when compared to other types of firewalls. SOHOs are looking for basic security at an affordable price. Packet-filtering firewalls do not provide total protection for SOHOs, but they do give at least a basic level of defense against a wide range of cyberattacks.
What Are The Types of Packet Filtering?
There are four types of packet filtering listed below:
- Dynamic packet filtering firewall
- Static packet filtering firewall
- Stateless packet filtering firewall
- Stateful packet filtering firewall
We will briefly explain each type of packet filtering firewall in the following sections.
1. Dynamic Packet Filtering Firewall
This form of firewall is smarter because rules can be adjusted dynamically depending on the situation, and ports are only open for a limited time before closing. Because administrators may establish customizable parameters and automate certain procedures, dynamic packet filtering firewalls are more flexible than static firewalls. Dynamic packet filtering is especially beneficial for protocols that dynamically allocate ports, such as the File Transfer Protocol (FTP). If you wish to give outside users secure access to an FTP server inside the company firewall, you need to think about the following:
- The FTP server must keep Port 21 (the FTP control port) open at all times so that it may "listen" for connection attempts from outside clients. This can be accomplished with a static filtering rule.
- Only when data will be transferred to or downloaded from the FTP server should Port 20 (the FTP data port) be opened. With static filtering, this port would have to be left open all the time, potentially opening the door to hacking efforts. This port can be opened at the start of an FTP session and then closed at the end of the session thanks to dynamic filtering.
- To create an FTP connection with the client, the FTP server assigns the client two port numbers, one for control and one for data transfer, from 1024 to 65,535 at random. Because these ports are assigned at random, there is no way to know which ports above 1024 the firewall must be able to open. If you use static filtering, you'll have to leave all ports above 1024 open all the time if you wish to allow FTP access through the firewall, which is a serious security concern. However, with dynamic filtering, you can configure firewall rules to read the packets issued by the server, dynamically open the two randomly assigned ports to allow a session to be opened, monitor the flow of packets to ensure that an unauthorized user does not attempt to hijack the session, and close the randomly assigned ports when the FTP session ends.
2. Static Packet Filtering Firewall
This form of firewall requires human configuration, with the connection between the external and internal networks remaining open or closed at all times unless manually modified. Administrators can configure rules and manage ports, access control lists (ACLs), and IP addresses with these firewall types. They're usually straightforward and practical, making them a good fit for tiny applications and home or small-business networks that don't have a lot of requirements.
Figure 3. Static and Dynamic Packet Filtering for FTP
3. Stateless Packet Filtering Firewall
Stateless packet filtering firewalls are the most common and well-known type of firewall. While they're becoming less widespread, they nevertheless serve a purpose for home internet users or service providers who deploy low-power customer-premises equipment (CPE). If users want to depart from default security settings, they must typically manually set up firewalls. Different ports and apps might pass through the packet filter thanks to manual setups.
4. Stateful Packet Filtering Firewall
It employs a presettable to keep a secure connection, and packets pass through in the order that the filter rules allow. Stateful firewalls, unlike stateless packet filtering solutions, track active connections using current extensions such as transmission control protocol (TCP) and user datagram protocol (UDP) streams. Stateful firewalls can better distinguish between genuine and malicious traffic or packages by detecting the context of incoming traffic and data packets. New connections must typically introduce themselves to the firewall before being included in the list of authorized connections.
What are the Advantages of Packet Filtering Firewall?
Packet filtering is a powerful security technique against intrusions from external networks. It's also a conventional and cost-efficient method of defense because most routing devices include built-in filtering capabilities, eliminating the need for a separate firewall device. The following are some of the most notable benefits of a packet filtering firewall that make it widely accepted around the world:
- Highly effective and quick: The packet filtering router operates swiftly and effectively, accepting or rejecting packets based on destination and source ports and addresses. Because the decisions made by packet-filtering firewalls are not based on much reasoning, they are extremely rapid. They don't conduct any internal traffic inspections. They also don't store any state information. All traffic that will flow over the firewall must be manually opened ports. Other firewalls, on the other hand, use more time-consuming methods and the performance overheads of most other firewalls are higher than those of packet filtering firewalls.
- Transparency: Packet filtering is transparent to users since it functions autonomously without the requirement for user awareness or collaboration. Users will not be informed about packet transmission until something has been rejected. Other firewalls, on the other hand, necessitate custom software, client machine setup, and user training or procedures. Packet filtering firewalls are thus user-friendly and simple to implement.
- Cost-efficient: Packet filtering has the distinct advantage of cost-efficiency by requiring only one filtering router to secure the internal network. In widely used hardware and software routing devices, packet filtering capabilities are built-in. Furthermore, most websites now have packet filtering capabilities built into their routers, making this strategy the most cost-effective.
- Easy-to-use: Packet filtering is an enticing choice because of its price and ease of usage. With this security strategy, a single screening router may defend an entire network. Users don't require a lot of information, training, or help to utilize firewalls because they won't notice packet transfer unless it's rejected.
What are the Disadvantages of Packet Filtering Firewall?
Packet filtering has various advantages, but it also has some drawbacks. The following are some of the downsides of a packet filtering firewall:
- Less Secure: The most significant disadvantage of packet filtering is that it is dependent on IP address and port number rather than context or application information. Therefore, they are not thought to be highly secure. This is due to the fact that they will forward any traffic traveling via an authorized IP/port. The packet filter does not check the full packet, allowing an attacker to place harmful commands in headers that aren't examined or in the payload itself. As a result, malicious communication may be sent, but it will not be banned as long as it is on an allowed port.
- Lack of Logging: The packet filter may lack logging capabilities, making it problematic for a business that must adhere to compliance and reporting requirements.
- Stateless Firewall: Another significant shortcoming of packet filtering is that it is fundamentally stateless, which means it monitors each packet independently without taking into account the established connection or previous packets that have passed through it. As a result, the ability of these firewalls to protect against advanced threats and attacks is severely limited.
- Vulnerable to Address Spoofing: Because it just looks at the packet headers, packet filtering does not guard against IP spoofing. Attackers can use basic spoofing techniques to get through the static packet filter, which can't distinguish the difference between a real and a fake address.
- Difficult to Manage: Packet filtering firewalls are not a perfect solution for many networks because it can be difficult or time-consuming to build in highly wanted filters. Packet filter gets unmanageable in bigger installations since packet-filtering rules are checked in sequential order, necessitating caution when entering rules into the rule base. Finally, because the static packet filter is stateless, the administrator must set up rules for both sides of the conversation. Managing and configuring ACLs can be challenging at times.
- Some protocols are incompatible with packet filtering: Even with flawless packet filtering implementations, some protocols are simply not well suited to packet filtering security. The Berkeley "r" commands (rcp, rlogin, rdist, rsh, etc.) and RPC-based protocols like NFS and NIS/YP are examples of such protocols.
- Some policies are difficult to enforce with standard packet filtering firewalls: Packets, for example, indicate the host from whence they originated, but not the user. As a result, you won't be able to impose limitations on specific users. Similarly, packets specify which port they're going to but not which application they're going to; when enforcing limits on higher-level protocols, you do so by port number, trusting that no other protocol is using that port. Insiders with nefarious motives can easily sabotage such control.
How much does a Packet Filtering Firewall Cost?
Among all types of firewalls, packet filtering firewalls are the most cost-effective. Almost all routers have packet filtering capabilities built-in as well. You can also set up your own packet filtering firewall for free on an outdated PC. OPNsense, pfSense software, IPFire, and ClearOS are just a few of the open-source firewalls freely available for home and small business networks. Without spending any money, you may easily and rapidly activate the UFW packet filtering firewall on your Ubuntu-based router or FirewallD on your CentOS-based router.
What is Packet Filtering Firewall Example?
Each TCP/IP packet contains the source/destination IP addresses and source/destination port number, which packet filters act on. You can create packet filtering rules that only allow access to IP addresses that are recognizable and well-known while blocking access to all unknown or unrecognized IP addresses.
You may, for example, allow access to just known, established IP addresses or prevent access to all unknown or unrecognized IP addresses by permitting access to known IP addresses.
You may, for example, restrict outsiders' access to port 443 by denying access to IP addresses or ports. Because most HTTPS servers use port 443, this effectively blocks all external access to the HTTPS server.
According to a CERT report, using packet filtering techniques to allow only permitted and known network traffic to the greatest extent possible is the most useful.
Here is a real-world packet filtering implementation scenario:
We assume that the company offers WWW, FTP, and Telnet services accessible from the Internet. The internal network of a corporation is connected to the router's Serial 3/1/9/1:2, and internal users access the Internet via the router's GigabitEthernet 3/1/1. The company's internal subnet is 22.214.171.124, with internal FTP server addresses of 126.96.36.199, Telnet server addresses of 188.8.131.52, internal WWW server addresses of 184.108.40.206, and the company's public address of 220.127.116.11. The router's NAT feature is turned on, allowing hosts on the internal network to access the Internet and external hosts to access the internal servers.
The company wishes to achieve the following goal by utilizing the firewall feature: only particular users on external networks are granted access to internal servers, and only specific hosts on the internal network are allowed to access external networks.
Assume that a certain external user's IP address is 18.104.22.168.
Figure 4. Packet filtering topology example
Packet filtering may be implemented on the router by following the steps given below:
- Create advanced ACL by running the following command.
[Router] acl number 3001
- Configure rules to permit specific hosts to access external networks and permit internal servers to access external networks by running the following commands.
[Router-acl-adv-3001] rule permit ip source 22.214.171.124 0
[Router-acl-adv-3001] rule permit ip source 126.96.36.199 0
[Router-acl-adv-3001] rule permit ip source 188.8.131.52 0
[Router-acl-adv-3001] rule permit ip source 184.108.40.206 0
- Configure a rule to prohibit all IP packets from passing the firewall by running the following commands.
[Router-acl-adv-3001] rule deny ip
- Create advanced ACL by running the following commands.
[Router] acl number 3002
- Configure a rule to allow a specific external user to access internal servers by running the following commands.
[Router-acl-adv-3002] rule permit tcp source 220.127.116.11 0 destination 18.104.22.168 0.0.0.255
- Configure a rule to permit specific data (only packets of which the port number is greater than 1024) to get access to the internal network by running the following commands.
[Router-acl-adv-3002] rule permit tcp destination 22.214.171.124 0 destination-port gt 1024
[Router-acl-adv-3002] rule deny ip
- Apply ACL 3001 to filter packets that come in through GigabitEthernet 3/1/1 by running the following commands.
[Router] interface gigabitEthernet 3/1/1
[Router-GigabitEthernet3/1/1] firewall packet-filter 3001 inbound
- Apply ACL 3002 to filter packets that come in through Serial 3/1/9/1:2.
[Router] interface serial 3/1/9/1:2
[Router-Serial3/1/9/1:2] firewall packet-filter 3002 inbound
As another example, let us assume you wish to build a simple Linux-based packet-filtering firewall.For the two IP subnets, you have two network interface cards installed and configured.
Between the network interfaces, packet forwarding is enabled. You have a Linux-based router. If this is your principal firewall between your internal network and the Internet, you might wish to accept only internal www connections and refuse everything else. It's possible that your
ipchains configuration looks like this:
ipchains -A int-ext -p tcp -dport www -j ACCEPT
ipchains -A int-ext -j REJECT
The first line adds the ability to accept and pass connections on port 80 (www) from the internal to the external interface. It's a part of the int-ext chain (sometimes this is referred to as the access control list).
The second line is a catch-all. All other packets are rejected.
Although this is a very simplistic example, it shows a few issues. A packet must first be expressly declared in order to pass. Second, having a "catchall" rule that rejects all packets that aren't specifically authorized is a smart idea.
What is the Difference Between Proxy Firewall And Packet Filtering Firewall?
Packet-filtering firewalls run at the network layer (layer 3) of the OSI model as a router and do not distinguish between application protocols. Proxy firewalls, on the other hand, provide proxy services for internal users by monitoring/controlling outgoing internal packets and regulating incoming external network traffic.
Proxy firewalls, unlike packet filtering firewalls, do not route packets; instead, they accept a connection on one network interface and establish a corresponding connection on another. A Proxy server acts as a bridge between hosts on different networks, keeping track of the state and sequencing of TCP connections.
Proxy firewalls look at packets more thoroughly than packet filtering firewalls recognizing the type of data being sent (HTTP or FTP, for example). It operates at a higher level in the protocol stack than packet-filtering firewalls, giving it greater options for accessibility monitoring and management. An application gateway functions as a distributor when dispatching messages from internal clients to the outside world, changing the source identification of the client packets.
In applications that forward and filter connections for services like Telnet and FTP, proxy firewalls have solved some of the flaws inherent with packet-filtering devices. Packet-filtering and proxy firewalls, on the other hand, do not have to be employed separately. When proxy firewalls and packet-filtering devices are used together, they can provide greater flexibility and security than if they were used separately. A web server that utilizes a packet-filtering firewall to deny all incoming Telnet and FTP connections and redirects them to an application gateway is an example of this. The source IP address of incoming Telnet and FTP packets can be authenticated and logged using an application gateway, and if the information in the packets passes the proxy firewall's acceptance criteria, a proxy is created and a connection between the gateway and the selected internal host is allowed. Only those connections for which a proxy has been created will be allowed through the application gateway. This type of firewall system allows only trusted services to pass through to the enterprise's internal systems and prohibits untrusted services from passing through without the security administrators' monitoring and control.
Packet-filtering devices are, on average, faster than application gateways, but they lack the security that most proxy services provide.
Because proxy firewalls are more complicated than packet-filtering firewalls, the additional computing resources and cost of operating such a system should be considered when determining organizations' firewall requirements. For all of the concurrent sessions in use on a network, the host may need to support hundreds to thousands of proxy processes, depending on the requirements. As with other business decisions, the higher the level of performance required, the higher the expenses associated with achieving that level of performance.
Proxy firewalls have the following advantages: they prevent direct connections between internal and external hosts; they frequently provide user and group-level authentication, and they may analyze specific application commands within the payload component of data packets. Proxy firewalls have the disadvantages of being slower than packet filtering firewalls, not being transparent to users, and requiring each application to have its own dedicated proxy firewall policy/processing module.
|Simplest||Even more complex|
|Filters based on connection rules||Filters based on behavior or proxies|
|Auditing is difficult||Activity can audit|
|Low impact on network performance||High impact on network performance|
|Network topology can not be hidden from the attacker||Network topology can be hidden from the attacker|
|Transparent to user||Not transparent to the user|
|See only addresses and service protocol type||See full data portion of a packet|
What is the Difference Between Packet Filtering Firewall And Stateful Inspection Firewall?
Stateful inspection is a method that does a more in-depth analysis of the information contained in packets, with subsequent filtering decisions based on what the firewall "learned" from previously analyzed packets.
Stateful packet inspection firewalls work in the same way as packet filtering firewalls, except they can maintain track of traffic at a more detailed level. A stateful firewall can watch the traffic over a specific connection, which is normally specified by the source/destination IP addresses, the ports, and the previously existing network traffic, whereas a packet filtering firewall can only examine each packet in isolation. A stateful firewall uses a state table to keep track of the connection state and will only allow traffic that is part of a new or existing connection through. Therefore, stateful firewalls provide more advanced security than packet-filtering firewalls by making filtering decisions based on both packet content and past packet history.
Most stateful firewalls can also act as packet filtering firewalls, with the two types of filtering being combined. This form of firewall, for example, can detect and track traffic relating to a specific user-initiated connection to a Web site and can determine when the connection has been closed and no further traffic should be present.
What is the Difference Between Packet Filtering Firewall And Circuit-Level Firewall?
Circuit-level firewalls are similar to proxy firewalls, only they don't need to know what kind of data is being sent. SOCKS servers, for example, can operate as circuit-level firewalls. "SOCKS" is a protocol that allows a server to accept requests from a client on a private network and send them over the Internet. Sockets are used by SOCKS to keep track of individual connections.
While packet filtering firewalls are stateless, stateful inspection or dynamic packet filtering is performed by circuit-level gateways to make filtering decisions. Stateful inspection is a circuit-level gateway function that provides more robust screening than packet-filtering devices by using both packet content and previous packet history to make filtering judgments.
Circuit-level gateways, like proxy firewalls, can be set up to specify advanced accessibility decision-making and offer increased security monitoring capabilities over packet-filtering firewalls. They still rely on a well-laid-out core routing structure and, like packet-filtering firewalls, rely on a well-laid-out core routing structure.