Скачать в pdf «Network+»

Dynamic Packet Filtering

Packet filtering is the ability of a router or a firewall to discard packets that don’t meet certain criteria. Firewalls use dynamic packet filtering to ensure that the packets it forwards match sessions initiated on the private side of a firewall. A dynamic state list (also known as a state table), held on a firewall, keeps track of all communications sessions between stations inside the firewall and stations outside the firewall. This list changes as communications sessions are added and deleted. Dynamic state lists allow a firewall to filter packets dynamically.

In dynamic packet filtering, only packets for current (and valid) communications sessions are allowed to pass. Someone trying to play back a communications session (such as a login) to gain access will be unsuccessful if the firewall is using dynamic packet filtering with a dynamic state list, because the data sent would not be recognized as part of a currently valid session. The firewall will filter out (or “drop”) all packets that don’t correspond to a current session using information found in the dynamic state list. For example, a computer in Network A requests a Telnet session with a server in Network B. The firewall in between the two keeps a log of the communication packets that are sent each way. Only packets that are part of this current communication session are allowed back into Network A through the firewall.

Figure 8.4 shows a failed attempt to infiltrate a network that is protected with a dynamic state list. Notice that the hacker attempts to insert a packet into the communication stream but fails because he did not have the correct packet number. The firewall was waiting for a specific order of packets, and the hacker’s packet was out of sequence.

Скачать в pdf «Network+»