throbber
Firewall Routers
`
`http://www.garykessler.net/library/firewall.html
`
`FIREWALL ROUTERS AND PACKET FILTERING
`
`Gary Kessler
`February 1995
`An edited version of this paper appeared with the title
`"Build Great Firewalls" in Network VAR, June 1995.
`
`So you have come to the realization that your network, along with every other network in the
`universe, ought to be connected to the Internet! While preparing for the connection, installing
`software, training users, and managing addresses, it is critical that network administrators devote
`some time to one issue that has gone relatively under-reported in the popular Internet press until
`recently; namely, that of security (or lack thereof). Security is an issue often over-looked by many
`companies attaching to the net, particularly if they have limited experience attaching to the outside
`world; security may be lacking on the local network in the first place, it may be viewed as an
`unnecessary bother, or passwords may seem like all the protection anyone could want or need.
`Securing your network from the outside world to your level of comfort is not tacky or unfriendly; it is
`a necessary precaution and, in some cases, may be a legal requirement.
`Immediately after reading this article, all LAN/Internet administrators should read Firewalls and
`Internet Security: Repelling the Wily Hacker (Addison-Wesley, 1994) by W.R. Cheswick and S.M.
`Bellovin, both of AT&T. The book is TCP/IP-specific and very UNIX-centric, but the lessons to be
`learned extend easily to other operating systems and maybe even to some other protocol stacks. The
`book also contains an extensive list of additional resources, code, and security tools.
`But more to the point: this book will not only convince you why security precautions are absolutely
`necessary, but it will cure you once and for all if you believe that passwords provide adequate
`protection from the serious intruder. The book also describes holes in the TCP/IP protocol stack that
`you might never have imagined. Without adequate security, your LAN is not merely attached to the
`Internet, but it is much more a part of the Internet than you really want. It is certainly true that all
`protocol stacks have security holes but the very public nature of TCP/IP and the Internet makes all
`such holes appear to be almost unique to this environment. I give this book my highest possible
`recommendation: I Spent My Own Money To Buy The Book.
`Firewalls, according to Cheswick and Bellovin, may be generally classified into three types: packet
`filters, application gateways, and circuit gateways. Packet filters block the transmission of packets
`based upon the protocol, address, and/or port identifier, while application gateways filter traffic using
`application-specific rules. Circuit gateways act as a TCP relay; an external remote host connects to a
`TCP port at the gateway and the gateway, in turn, establishes a TCP connection to the intended
`
`1 of 7
`
`5/27/14 8:55 PM
`
`Google Ex. 1517, pg. 1
`
`

`

`Firewall Routers
`
`http://www.garykessler.net/library/firewall.html
`
`destination on the internal local network. Often, more than one of these types may be used together.
`This article will focus on simple packet filtering for a couple of reasons. First, almost all routers have
`some form of filtering capability. Second, understanding packet filters requires an understanding of
`the TCP/IP protocols that is helpful in establishing other gateway protections. It should be noted that
`some experts consider packet filters to be the weakest form of firewall protection, primarily because
`of the difficulty in correctly setting up the filtering rules (making them possible to circumvent since
`they're often not set up correctly!). Nevertheless, packet filtering is also the most easily accessible
`form of firewall protection in most environments and is a good first step.
`
` inside ---------- outside
` | | | |
`LAN side ======+======| Router |======+====== WAN/Internet side
` | | | |
` ----------
`
`FIGURE 1. "Inside" and "outside" filter reference points.
`
`When setting up packet filters, you must first determine what filtering capabilities your router has and
`where you want to filter. If your router has one or more LAN ("inside") ports and/or one or more
`WAN ("outside") ports, you probably want to filter on the outside, to protect the router (Fig. 1). Most
`routers do, in fact, allow you to build packet filters and apply them on a per-port basis.
`In the discussion below, the rules are stated in a simple, general form that does not follow any
`particular router vendor's format; readers are urged to consult their vendor and/or vendor's literature
`for specific information about their own system. In each filtering rule below, we can specify:
`Dir: Whether this rule is being used to filter an inbound or outbound packet, from the
`perspective of the router.
`Action: Whether this rule is being used to allow or block a particular packet type.
`Protocol: The protocol to which this rule applies (IP, TCP, UDP, or ICMP).
`Address/Port Information: An optional source and/or destination IP address (from/to) to identify
`the relevant hosts, and an optional source and/or destination port address (source/destination) to
`identify the application to which this rule applies (see Table 1). For this example, assume that
`the local network's FTP server and mail server have IP addresses 254.1.1.1 and 254.1.1.2,
`respectively; we will also pretend that this is a Class C address, so that this domain's network
`identifier is 254.1.1.0. (In most rule formats, the portion of the address to which applies may be
`specified with a subnet mask or by indicating how many bits are significant. Thus, to refer to
`only the network identifier portion of a Class C address, the rule would indicate a mask of
`255.255.255.0 or a value of 24.)
`Flags: Used here to indicate whether this rule pertains to a TCP virtual circuit that is being
`initiated with this packet or to a TCP connection that has already been established (estab). This
`can usually be determined by examining the setting of the Flags field in the TCP segment
`
`2 of 7
`
`5/27/14 8:55 PM
`
`Google Ex. 1517, pg. 2
`
`

`

`Firewall Routers
`
`http://www.garykessler.net/library/firewall.html
`
`Header. In particular, the Acknowledgement (ACK) flag is used to indicate whether the
`Acknowledgement Number in this segment is valid or not; it is usually set except in the first
`segment used for connection establishment. The Reset (RST) flag is used to force an immediate
`termination of a TCP connection. For filtering purposes, a TCP connection is considered to be
`established if the ACK or RST flag is set.
`The list below is a sample set of packet filtering rules that might be assigned to the router's WAN
`(outside) interface:
` # Dir Action Protocol Address/Port Information Flags
`-- --- ------ -------- ----------------------------------- -----
` 1 IN ALLOW TCP source=23 estab
` 1 OUT ALLOW TCP dest=23
`
` 2 IN ALLOW TCP source=21 estab
` 2 OUT ALLOW TCP dest=21
` 3 IN ALLOW TCP source=20; dest>1023
` 3 OUT ALLOW TCP dest=20
`
` 4 IN ALLOW TCP to: 254.1.1.1; dest=21
` 4 OUT ALLOW TCP from: 254.1.1.1; source=21 estab
` 5 IN ALLOW TCP to: 254.1.1.1; dest=20 estab
` 5 OUT ALLOW TCP from: 254.1.1.1; source=20
`
` 6 IN ALLOW TCP to: 254.1.1.2; dest=25
` 6 OUT ALLOW TCP from: 254.1.1.2; source=25 estab
` 7 IN ALLOW TCP to: 254.1.1.2; dest=25 estab
` 7 OUT ALLOW TCP from: 254.1.1.2; source=25
`
` 8 IN ALLOW UDP dest=53
` 8 OUT ALLOW UDP dest=53
`
` 9 IN ALLOW ICMP
` 9 OUT ALLOW ICMP
`The first rule applies to Telnet, an application that runs over TCP. Standard Telnet servers use the
`well-known port #23. Rule 1 allows outgoing packets to a Telnet server; it also allows incoming
`Telnet packets from a Telnet server if they are part of an existing connection. The result of this
`rule-pair is that any of the LAN users can establish a Telnet connection to an Internet host but no one
`on the Internet can establish a Telnet connection to one of the LAN's hosts. In my environment, for
`example, this rule makes sense; no one is supposed to be running Telnet server software on their
`system and, if they do, we don't want it accessible from the outside.
`
`TABLE 1. Some well-know TCP/UDP port numbers.
`
`--------------------------------------------------------------------
`| Port | Protocol | Port Name (Function) |
`|-------+----------+-----------------------------------------------|
`| 20 | TCP | ftp-data (FTP data connection) |
`| 21 | TCP | ftp (FTP control connection) |
`| 23 | TCP | telnet |
`| 25 | TCP | smtp (Simple Mail Transfer Protocol) |
`| 43 | TCP | whois/nicname |
`
`3 of 7
`
`5/27/14 8:55 PM
`
`Google Ex. 1517, pg. 3
`
`

`

`Firewall Routers
`
`http://www.garykessler.net/library/firewall.html
`
`| 53 | TCP/UDP | dns (Domain Name System) zone transfer/query |
`| 67 | UDP | bootp (Bootstrap protocol) |
`| 69 | UDP | tftp (Trivial File Transfer Protocol) |
`| 70 | TCP | gopher |
`| 79 | TCP | finger |
`| 80 | TCP | http (HyperText Transfer Protocol) |
`| 111 | UDP | rpc (SUN Remote Procedure Call) |
`| 119 | TCP | nntp (Network News Transfer Protocol) |
`| 123 | TCP/UDP | ntp (Network Time Protocol) |
`| 161 | UDP | snmp (Simple Network Management Protocol) |
`| 162 | UDP | snmp-trap (SNMP Trap) |
`| 179 | TCP | bgp (Border Gateway Protocol) |
`| 513 | TCP | rlogin |
`| 514 | TCP | rexec |
`| 517 | TCP/UDP | talk |
`| 520 | UDP | route (Routing Information Protocol) |
`| 2049 | UDP | nfs (Network File System) |
`| 6000 | TCP/UDP | x11 (X-Windows) |
`--------------------------------------------------------------------
`
`The next four rules deal with the File Transfer Protocol (FTP), another protocol that operates over
`TCP. When a user (the client) opens an FTP session with a remote host (the server), the client sets up
`an FTP-control connection to the server on TCP port #21. When the client sends FTP commands to
`obtain directory listings or to initiate file transfers, for example, the FTP server establishes an
`FTP-data connection with the client using TCP port #20; the FTP client is assigned some TCP port
`number greater than 1023. Note that the server sets up a new FTP-data connection for each dir, get, or
`put command and that the client is assigned a new TCP port number for each new FTP-data
`connection. Rule 2, then, allows outgoing FTP-control packets, but limits incoming FTP-control
`packets to existing connections, while Rule 3 allows incoming and outgoing FTP-data packets. These
`two rule-pairs allow our users to establish an FTP connection with any FTP server on the Internet.
`Rules 4 and 5 also deal with FTP; they limit new incoming FTP-control connections and new
`outgoing FTP-data connections only between the LAN's FTP server (IP address 254.1.1.1) and a
`remote host. These rule-pairs, then, allow any Internet host to establish an FTP connection to the
`designated FTP server but to no other host on the LAN.
`Rules 6 and 7 are very similar to Rules 4 and 5. These two rule-pairs allow incoming and outgoing
`SMTP packets (TCP port #25) between the mail server (IP address 254.1.1.2) and any Internet host.
`(This rule, although common, may be too broad since now any Internet host can attempt to establish
`an SMTP connection to the local mail system. To limit the scope, some networks only allow SMTP
`connections between their own mail system and a designated mail relay; a problem can arise,
`however, if the mail relay goes down, although the rule could still limit connections to a known
`network.)
`Rule 8 allows incoming and outgoing Domain Name Server (DNS) query packets (UDP port #53).
`Rule 9 allows inbound and outbound Internet Control Message Protocol (ICMP) packets. Other
`similar rules can be applied for other ports and applications, such as Gopher, http, Whois/NICNAME,
`Finger, Netnews, RIP, and SNMP; only allow packets that are relevant to your system.
`
`4 of 7
`
`5/27/14 8:55 PM
`
`Google Ex. 1517, pg. 4
`
`

`

`Firewall Routers
`
`http://www.garykessler.net/library/firewall.html
`
`Network administrators may want to carefully consider why some common applications are supported
`at all. In today's environment, for example, why respond to Finger requests with full system and/or
`user information? Password guessing is the first type of attack that may be tried on your system and
`Finger helps attackers by giving them a list of valid user names; it also provides a way that an attacker
`can find accounts that have been inactive for some time. An increasing number of sites limit Finger by
`not providing a Finger daemon, filtering external Finger requests, limiting the information supplied in
`the response, or employing a Finger daemon that responds to all requests with a standard banner
`message from the network administrator.
`Many experts subscribe to the theory that you should deny access to all services except the ones that
`you explicitly want users to have access to. CERT has issued several advisories regarding filtering
`suggestions for many of the well-known ports listed in Table 1; see also Cheswick & Bellovin's book
`and literature from your vendor. Note that some routers will automatically block anything not
`explicitly permitted; alternatively, you could add the following rules to prevent use of any TCP or
`UDP port not explicitly allowed by an earlier rule:
`10 IN BLOCK TCP
`10 OUT BLOCK TCP
`11 IN BLOCK UDP
`11 OUT BLOCK UDP
`Be careful that you have permitted all of the protocols that you want before you shut the door. Be
`aware also that this type of blanket denial will block some legitimate uses of non-standard ports; some
`experimental Gopher and WWW servers, for example, use ports other than 70 and 80, respectively.
`Rules 10 and 11 are also an example where rule ordering can be very important. The packet filter
`routine will usually process rules in order until either a rule is matched or the rule list exhausted.
`Consider what would happen if these last two rules were accidently inserted before, say, Rule 6. In
`that case, no SMTP or DNS packets would ever be allowed to enter or leave through the router.
`Another type of packet filtering that should be employed blocks IP spoofing, a form of attack where
`an intruder replaces their own IP address with a valid IP address from another network. IP spoofing
`takes advantage of those applications that use authentication based upon the source IP address,
`possibly leading to unauthorized use of data base, commercial, and/or system resources. IP spoofing
`was a major part of the intrusion widely publicized in early January 1995. As an aside, the "holes" in
`TCP/IP that made it possible were described in papers written as much as 7 or more years ago.
`Rule 12 prevents IP spoofing attacks by blocking any incoming packet if it contains a source address
`from the internal network (remember, we're pretending that our address is a Class C address!). The
`second part of the rule blocks outgoing packets that contain a source IP address that differs from the
`local network's address, to prevent IP spoofing attacks being launched from this network. If possible,
`log these events; these are bona fide attacks if they occur. (These rules are shown at the end for ease of
`discussion only; in fact, they should probably be the first rules defined.)
`12 IN BLOCK IP from: 254.1.1.0
`12 OUT BLOCK IP not-from: 254.1.1.0
`Although the examples here are oriented towards filtering on the outside interface, inside filtering may
`
`5 of 7
`
`5/27/14 8:55 PM
`
`Google Ex. 1517, pg. 5
`
`

`

`Firewall Routers
`
`http://www.garykessler.net/library/firewall.html
`
`also be employed for a number of reasons. One reason would be limit access to the router. Most
`routers have a dedicated management port where the network administrator can directly attach via a
`terminal. However, the network manager can also usually Telnet to the router, log on, and then
`perform management functions over the local network. Even if Telnet connections from the outside
`cannot be established because of the outside filtering rules above, none of those rules would prevent a
`user from Telneting to the router from the inside. It is difficult to limit internal access to the router in
`the configuration shown in Figure 1 because it is very hard to prevent IP address spoofing from a
`nefarious user on the inside. If TCP/IP software is loaded on each PC on a LAN, for example, anyone
`can temporarily change their IP address to that of the administrator. If you anticipate attacks from the
`inside, use a directly-connected terminal for router management and use the router's operating system
`to disable Telnet access.
`
` ------------ --------------- ------------
`LAN #1 ===| Internal | | Application | | Firewall |
` | Router | | Gateway | | Router |=== Internet
`LAN #2 ===| | | | | |
` -----+------ -------+------- -----+------
` | | |
` =====+=================+================+=====
` LAN #3
`
`FIGURE 2. A slightly more sophisticated approach: an "external" firewall router used in combination with an
`application gateway and "internal" router.
`
`A combination of inside and outside filtering might also be used when resources on two different
`LANs attached to the same router are to be given different levels of protection. Alternatively, a
`common configuration is to place an application gateway on a LAN with two routers, where one
`router is connected to the WAN and the other router to the internal corporate LAN, as shown in Figure
`2; the packet filtering rules on the different sides of the Internal Router and Firewall Router will
`certainly be different.
`Packet filtering is clearly not the final word on security. While this capability exists with almost all
`routers today, there is still debate whether packet filtering provides sufficient protection or merely
`yields a false sense of security (literally and figuratively!). Application-level filters probably provide
`better security but are harder to build and maintain. Yet, almost any system can be broken through
`without continued vigilance by users; firewalls cannot, for example, protect a site from attacks in
`which something is legitimately mailed or transferred to an internal host and then executed (such as
`attacks against Sendmail).
`There is much more involved in setting up a packet filtering router than described here, not to mention
`setting up more powerful firewalls and taking stronger security measures. Some additional
`information may be found on the Internet, of course! One good starting place may be accessed by
`pointing your WWW browser at www.greatcircle.com/firewalls or www.tis.com for a list of frequently
`asked questions (FAQ) and other firewall-related topics. The FAQ is particularly informative and
`
`6 of 7
`
`5/27/14 8:55 PM
`
`Google Ex. 1517, pg. 6
`
`

`

`Firewall Routers
`
`http://www.garykessler.net/library/firewall.html
`
`discusses such topics as what a firewall can and cannot do; setting up proxy FTP, Telnet, Finger, and
`DNS servers; and problems with source routed packets. A firewall discussion list is also available on
`the Internet at firewalls@greatcircle.com; subscribe to the list by sending e-mail to
`majordomo@greatcircle.com and place the line "subscribe firewalls" in the body of the message.
`Two Request for Comments (RFC) documents are directly related to these issues as well. RFC 1244
`("Site Security Handbook") is an excellent guide to the purpose and creation -- and enforcement -- of
`security guidelines; it also includes an extensive bibliography and list of resource materials and help
`centers. RFC 1281 ("Guidelines for the Secure Operation of the Internet") suggests guidelines for
`users, service providers, and equipment vendors.
`Network administrators responsible for Internet access should be on the electronic distribution list for
`advisories from the Computer Emergency Response Team (CERT). CERT's charter is to act as a
`clearinghouse for break-ins to computer systems via the Internet or security holes reported in vendor's
`software; they disseminate appropriate information about such events and how to prevent or fix them.
`To automatically receive CERT advisories, send e-mail to cert-advisory-request@cert.org and place
`the word "subscribe" in the body of the message. Past CERT advisories can be obtained via
`anonymous FTP in the /pub/cert_advisories directory at info.cert.org. CERT may be contacted at the
`Software Engineering Institute, Carnegie Mellon University, Pittsburgh, Pennsylvania 15213-3890
`(Telephone: +1 412 268-7090; Fax: +1 412 268-6989; E-mail: cert@cert.org).
`Finally, contact your router vendor. Many have on-line WWW and/or ftp sites, as well as electronic
`mailing lists.
`The bottom-line is: Do Not Allow Your Network To Go Unprotected. The Internet is a community
`comprising many millions of users and there are people who would be happy to break into your
`network, just as there are people who would be happy to break into your home if a door or window is
`left ajar. Still not convinced? Read The Cuckoo's Egg by C. Stoll and Cyberpunk by K. Hafner and J.
`Markoff.
`
`7 of 7
`
`5/27/14 8:55 PM
`
`Google Ex. 1517, pg. 7
`
`

This document is available on Docket Alarm but you must sign up to view it.


Or .

Accessing this document will incur an additional charge of $.

After purchase, you can access this document again without charge.

Accept $ Charge
throbber

Still Working On It

This document is taking longer than usual to download. This can happen if we need to contact the court directly to obtain the document and their servers are running slowly.

Give it another minute or two to complete, and then try the refresh button.

throbber

A few More Minutes ... Still Working

It can take up to 5 minutes for us to download a document if the court servers are running slowly.

Thank you for your continued patience.

This document could not be displayed.

We could not find this document within its docket. Please go back to the docket page and check the link. If that does not work, go back to the docket and refresh it to pull the newest information.

Your account does not support viewing this document.

You need a Paid Account to view this document. Click here to change your account type.

Your account does not support viewing this document.

Set your membership status to view this document.

With a Docket Alarm membership, you'll get a whole lot more, including:

  • Up-to-date information for this case.
  • Email alerts whenever there is an update.
  • Full text search for other cases.
  • Get email alerts whenever a new case matches your search.

Become a Member

One Moment Please

The filing “” is large (MB) and is being downloaded.

Please refresh this page in a few minutes to see if the filing has been downloaded. The filing will also be emailed to you when the download completes.

Your document is on its way!

If you do not receive the document in five minutes, contact support at support@docketalarm.com.

Sealed Document

We are unable to display this document, it may be under a court ordered seal.

If you have proper credentials to access the file, you may proceed directly to the court's system using your government issued username and password.


Access Government Site

We are redirecting you
to a mobile optimized page.





Document Unreadable or Corrupt

Refresh this Document
Go to the Docket

We are unable to display this document.

Refresh this Document
Go to the Docket