Cryptography Reference
In-Depth Information
measures to be taken as we will see below. First, we look at some spoofing
attacks.
In the case of Mallory, say, tryingto breach a firewall, he miht use a
(source) IP address of a local network host in the hope of his packet be-
ingdelivered by a system that “trusts” the IP addresses of internal hosts.
Some examples of IP spoofingare man-in-the-middle attacks (see Footnote
3.7 on page 134). For instance, there is the routing redirect attack , where
data is redirected from the original host to Mallory's host, say. There is
also the source routing attack where Mallory redirects individual packets.
IP spoofingis used almost always in denial-of-service attacks (see Foot-
note 8.8 on page 300), wherein Mallory might spoof a source IP address to
thwart tracinghis steps, and thus stoppingthe attack is made that much
more diJcult. These are but a few of many attacks involvingspoofing. In-
cidentally, one misconception about spoofingis that it involves anonymous
Internet access, which is not the case.
Diagram 8.26 Simple Firewall: Packet Filter
L
O
C
A
L
I
N
T
E
R
N
E
T
F
I
R
E
W
A
L
L
Permitted Outgoing
←−−−−−−−−−−−−−−−−−−
IP Addresses
Permitted Incoming
−−−−−−−−−−−−−−−−−−→
IP Addresses
N
E
T
W
O
R
K
2. Stateful Inspection Packet Filters — Dynamic Filtering : Since
the aforementioned packet filter firewall bases its decisions on whether
the IP address or port number correspond to those listed in the packet
filter's configuration, the filtering process is static . However, there is a
methodology wherein it is possible to incorporate the notion of the state of
a connection into a packet filter. This is accomplished by usinga state table
and some data in the TCP headers to record those packets previously given
access within a connection. In other words, stateful inspection keeps track
of an IP packet over a period of time; that is, “remembers” the interaction
between the local network and the Internet, say. This makes it possible
to thwart unauthorized incomingtraJc. This implementation of a packet
filter is called stateful inspection packet filtering . Packets leavingthe local
Search WWH ::




Custom Search