In order to understand firewall technology, you need to understand
something about the underlying objects that firewalls deal with:
packets and protocols. We provide a brief introduction to high-level
IP
networking concepts (a necessity for understanding
firewalls) here, but if you're not already familiar with the
topic, you will probably want to consult a more general reference on
TCP/IP (for instance,
, by Craig Hunt, published by
O'Reilly and Associates).
To transfer
information across a network, the information has to be broken up
into small pieces, each of which is sent separately. Breaking the
information into pieces allows many systems to share the network,
each sending pieces in turn. In IP networking, those small pieces of
data are called
. All data transfer
across IP networks happens in the form of packets.
4.1. What Does a Packet Look Like?
To
understand packet filtering, you first have to understand packets and
how they are layered to build up the TCP/IP protocol stack, which is:
Packets are constructed in such a way that layers for each protocol
used for a particular connection are wrapped around the packets, like
the layers of skin on an onion.
At each layer (except perhaps at the
application layer), a packet has two parts: the header and the body.
The header contains protocol information relevant to that layer,
while the body contains the data for that layer, which often consists
of a whole packet from the next layer in the stack. Each layer treats
the information it gets from the layer above it as data, and applies
its own header to this data. At each layer, the packet contains all
of the information passed from the higher layer; nothing is lost.
This process of preserving the data while attaching a new header is
known as
encapsulation.
At the application layer, the packet consists simply of the data to
be transferred (for example, part of a file being transferred during
an FTP session). As it moves to the transport layer, the Transmission
Control Protocol (TCP) or the User Datagram Protocol (UDP) preserves
the data from the previous layer and attaches a header to it. At the
next layer, the Internet layer, IP considers the entire packet
(consisting now of the TCP or UDP header and the data) to be data and
now attaches its own IP header. Finally, at the network access layer,
Ethernet or another network protocol considers the entire IP packet
passed to it to be data and attaches its own header. Figure 4-1 shows how this works.
Figure 4-1. Data encapsulation
At the other side of the connection, this process is reversed. As the
data is passed up from one layer to the next higher layer, each
header (each skin of the onion) is stripped off by its respective
layer. For example, the Internet layer removes the IP header before
passing the encapsulated data up to the transport layer (TCP or UDP).
In trying to understand packet filtering, the most important
information from our point of view is in the headers of the various
layers. The following sections look at several examples of different
types of packets and show the contents of each of the headers that
packet filtering routers will be examining. We assume a certain
knowledge of TCP/IP fundamentals and concentrate on discussing the
particular issues related to packet filtering.
In the following discussion, we start with a simple example
demonstrating TCP/IP over Ethernet. From there, we go on to discuss
IP's packet filtering characteristics, then protocols above IP
(such as TCP, UDP, and ICMP), protocols below IP (such as Ethernet),
and finally non-IP protocols (such as NetBEUI, AppleTalk, and
IPX).
4.1.1. TCP/IP/Ethernet Example
Let's
consider an example of a TCP/IP packet (for example, one that is part
of a Telnet connection) on an Ethernet.
[7] We're interested in four layers
here: the Ethernet layer, the IP layer, the TCP layer, and the data
layer. In this section, we'll consider them from bottom to top
and look at the contents of the headers that the packet filtering
routers will be examining.
4.1.1.1. Ethernet layer
At the Ethernet layer, the packet consists of two parts: the Ethernet
header and the Ethernet body. In general, you won't be able to
do packet filtering based on information in the Ethernet header. In
some situations, you may be interested in Ethernet address
information. The Ethernet address is also known as the MAC (Media
Access Control) address. Basically, the header tells you:
- What kind of packet this is
- We'll assume in this example that it is an IP packet, as
opposed to an AppleTalk packet, a Novell packet, a DECNET packet, or
some other kind of packet.
- The Ethernet address of the machine that put the packet onto this particular Ethernet network segment
- The original source machine, if it's attached to this segment;
otherwise, the last router in the path from the source machine to
here.
- The Ethernet address of the packet's destination on this particular Ethernet network segment
- Perhaps the destination machine, if it's attached to this
segment; otherwise, the next router in the path from here to the
destination machine. Occasionally it's a broadcast address
indicating that all machines should read the packet, or a multicast
address indicating that a group of subscribing machines should read
the packet.
Because we are considering IP packets in this example, we know that
the Ethernet body contains an IP packet.
4.1.1.2. IP layer
At the IP layer, the IP packet is made
up of two parts: the IP header and the IP body, as shown in
Figure 4-2. From a packet filtering point of view, the IP
header contains four interesting pieces of information:
- The IP source address
- Four bytes long and typically written as something like 172.16.244.34.
- The IP destination address
- Just like the IP source address.
- The IP protocol type
- Identifies the IP body as a TCP packet, as opposed to a UDP packet,
an ICMP (Internet Control Message Protocol) packet, or some other
type of packet.
- The IP options field
- Almost always empty; where options like the IP source route and the
IP security options would be specified if they were used for a given
packet (see the discussion in Section 4.2.2, "IP Options", later in this
chapter).
Figure 4-2. IP header and body
ost networks have a limit on the maximum length of a packet, which
is much shorter than the limit imposed by IP. In order to deal with
this conflict,
IP may divide a packet that is too large
to cross a given network into a series of smaller packets called
fragments. Fragmenting a packet doesn't
change its structure at the IP layer (the IP headers are duplicated
into each fragment), but it may mean that the body contains only a
part of a packet at the next layer. (See the discussion in
Section 4.2.3, "IP Fragmentation", later in this chapter.)
The IP body in this example contains an unfragmented TCP packet,
although it could just as well contain the first fragment of a
fragmented TCP packet.
4.1.1.3. TCP layer
At the TCP layer, the packet again contains two parts: the TCP header
and the TCP body. From a packet filtering point of view, the TCP
header contains three interesting pieces of information:
- The TCP source port
- A two-byte number that specifies what client or server process the
packet is coming from on the source machine.
- The TCP destination port
- A two-byte number that specifies what client or server process the
packet is going to on the destination machine.
- The TCP flags field
- This field contains various flags that are
used to indicate special kinds of packets, particularly during the
process of setting up and tearing down TCP connections. These flags
are discussed further in the sections that follow.
The TCP body contains the actual "data" being transmitted
-- for example, for Telnet the keystrokes or screen displays
that are part of a Telnet session, or for FTP the data being
transferred or commands being issued as part of an FTP
session.