Dynamic Packet Filtering
Dynamic packet filtering examines the headers of packets being sent or received. Headers provide information on the source of the packet, the destination, the protocol used, the port number, and other information of that sort. A packet filter examines the headers to determine whether they follow legitimate syntax rules and comply with the configured security policy.
A firewall packet filter is analogous to the mail sorter at a publishing company, who examines the authors' envelopes to make sure that they are both coming from a legitimate address, and bound for a legitimate editor within the company. He checks the postal guidelines to make sure that he is allowed to send this type of mail to this particular editor. He does not open the envelopes and examine the story being sent; he simply sorts and routes the mail. This is essentially what packet filters do.
For example, if a packet filter encountered a packet assigned to port 403, and the filter "knows" that this port has not been opened for any service, the filter would reject the packet because its port number is invalid according to packet filter rules.
Packet filters typically operate according to rules that determine packet disposition. These rules are written in a filter language and collected into groups called "Rule Sets." Rule Sets can be difficult to configure and work best when interpreted by properly-written firewall software rather than by harried network system administrators. In addition, many packet filters do not provide the means to filter on some of the more useful properties of IP packets.
WatchGuard uses dynamic packet filtering rules which go beyond basic packet filtering described above. WatchGuard bases its filtering not only on service types, but also on conditions surrounding the initiation of a connection. WatchGuard uses dynamic rule-sets, allowing you to add and remove rules depending on network activity. For example, if a particular site attempts to connect to a port it has no business connecting to, WatchGuard can be configured to automatically add that particular host to a "blocked sites list," making things such as port space probes increasingly difficult to carry out.
|
|
