Digi TransPort WR11 User Manual page 780

Configuring security
The first rule allows outgoing HTTP requests on PPP 0 from any address matching the mask
n
10.1.2.* on port 80.
The second rule allows HTTP response packets to be received on PPP 0 on port 80 and
n
addressed to an IP address matching the mask 10.1.2.*.
However, this second rule creates a potential security hole. The problem with filtering based
on the source port is that you can trust the source port only as much as you trust the source
machine. For example, an attacker could perform a port scan and if the source port was set to
80 in each packet, it would get through this filter. Alternatively, on an already compromised
system, a Trojan horse might be set up by listening on port 80.
You can define a more secure firewall using the inspect-state field. The stateful inspection system
intelligently creates and manages dynamic filter rules based on the type of connection and the
source/destination IP addresses.
Applying stateful rules to the above example, you can redesign the script to make it both simpler and
more effective.
Since only the first packet in a TCP handshake will have the SYN flag set, we can use a rule that
checks the SYN flag:
pass out br eak end on ppp 0 f r om 10. 1. 2. 0/ 24 t o any por t =80 f l ags s i nspect - st at e
bl ock i n br eak end on ppp 0
At first glance, it appears that the second rule blocks all inbound packets on PPP 0. While this may be
inherently more secure, it also means users on the network could not receive responses to their HTTP
requests, making the rule of little use. This is not a problem because the stateful inspection system
creates temporary filter rules based on the outbound traffic.
The first of these temporary rules allows the first response packet to pass because it also has the SYN
flag set.
Once the connection is established, a second temporary rule is created that passes inbound or
outbound packets if the IP address and port number match those of the initial rule, but does not
check the SYN flag. It monitors the FIN flag, so the system can tell when the connection has been
terminated. Once an outbound packet with the FIN flag is detected along with a FIN/ACK response,
this temporary rule ceases to exist, and further packets on that IP address/port are blocked.
In the above example:
If a local user on address 10.1.2.34 issues an HTTP request to a host on 100.12.2.9, the
n
outward packet would match and be passed.
At the same time, a temporary filter rule is automatically created by the firewall that will pass
n
inbound packets from IP address 100.12.2.9 that are addressed to 10.2.1.34 port x (where x is
the source port in the original request from 10.1.2.34).
Using dynamic filters
Using dynamic filters is more secure, because both the source and destination IP addresses/ports are
checked. In addition, the firewall automatically checks that the router uses the correct flags for each
stage of the communication.
Using such a firewall rule virtually eliminates the potential for a security breach. Even if a hacker could
time their attack perfectly, they would still have to do the following:
Forge a response packet using the correct source address and port, randomly created by the
n
sender of the HTTP request.
Target the specific IP address that opened the connection.
n
Digi TransPort® Routers User Guide
Firewall
780