Archive for the ‘MCDBA’ category

The Windows Server 2003 operating system is designed to work on a network. It receives traffic from other computers over the network. Based on the request made, it takes a decision to route packets to use its services, and processes the request sent by the client. Any computer, when accessible for communication, is also a security risk, if it is accessible from the Internet too. A server accessible from the Internet is open to all clients that can connect to it. An unauthorized user can attempt to access the system for many destructive purposes. The most common of them are listed below:

• Accessing confidential data.
• Implementing software of its own.
• Preventing others from using the server.

The most used technique to prevent such intrusions is to use packet filtering.

Packet Filtering

Packet filtering is a method that allows or restricts the flow of specific types of packets to provide security. It analyzes the incoming and outgoing packets and lets them pass or stops them based on the IP addresses of the source and destination. Packet filtering provides a way to define precisely which type of IP traffic is allowed to cross the firewall of an intranet. IP packet filtering is important when users from private intranets connect to public networks, such as the Internet.

A server implementing the filter examines each packet as it arrives and determines whether it meets the criteria for fulfilling its request. Packets that do not meet the criteria are discarded. For example, if an administrator is configuring a server that will be used as an e-mail server, he should create a filter to allow packets that are addressed to port number 25 and port number 110. This is because e-mail servers use the Simple Mail Transfer Protocol (SMTP) and the Post Office Protocol 3 (POP3). The SMTP and POP3 protocols use ports 25 and 110 respectively for communication. If a suspected intruder tries to attack the server, the server will examine the packets sent by him and discard the packets that are not addressed to use ports 25 and 110.

Ports and Protocols

Some of the important applications and the port numbers they use are summarized in the table below:

Note: The listed port numbers in the above table are also called well-known ports. The complete and updated list of well-known port numbers is available at http://www.iana.org/assignments/port-numbers.

Packet filtering is mostly configured on routers or firewalls that connect a private network to the public network such as the Internet. However, it can be configured inside the network to protect a server with confidential information from being accessed by other users on the network.

Packet Filtering Criteria

Administrators can configure packet filtering inclusively or exclusively:

• Start with a network connection that is completely blocked and use filters to specify that the traffic can pass through.
• Start with a completely open connection and specify the types of traffic to be blocked.

The criteria used for packet filtering are as follows:

• Port Numbers: This is the most common type of packet filtering criteria. Port numbers can be used to block or allow packets using certain ports.
• Protocol Identifiers: Protocol identifiers can be used to filter packets based on an entire protocol. Administrators can use this filter to block packets that are intended to use certain protocols. For example, an administrator can block all UDP and ICMP traffic. This prevents attackers from using applications that are based on these protocols.
• IP Address: IP address filtering is used by administrators to limit network access to specific computers. IP address filtering is useful for protecting a part of a private network from users on another part of the network. It should be noted that IP address filtering is not considered to be a very secure method for securing a network. Intruders can get into the network using a technique called spoofing.
• Hardware addresses: Filtering can be done through hardware addresses. Each network interface adapter at the factory is coded with the media access control (MAC) address known as hardware address. It works in the same way as IP address filtering. However, it is more difficult to spoof a hardware address than an IP address.

Packet Filtering in Windows Server 2003

Windows Server 2003 uses two packet filtering options:

• TCP/IP Packet Filtering: In Windows Server 2003, take the following steps to implement TCP/IP filtering:
  1. Run Network Connections from Start Menu > Settings > Network Connections.
  2. In the Network Connections folder, right-click the Local Area Connection icon, and click Properties.
  3. In the Local Area Connection Properties dialog box, select Internet Protocol (TCP/IP), and click the Properties button.
  4. In the Internet Protocol (TCP/IP) Properties dialog box, click the Advanced button.
  5. In the Advanced TCP/IP Settings dialog box, click the Options tab. On the Options tab page, select TCP/IP filtering, and click the Properties button.
  6. In the TCP/IP Filtering dialog box, click the Enable TCP/IP Filtering (All adapters) check box. Click the appropriate Permit Only radio button to specify the port, and click the Add button.
  7. In the Add Filter dialog box, specify the port number in the TCP Port section, and click the OK button.
  8. In the TCP/IP Filtering dialog box, click the OK button.
• Routing and Remote Access Service Packet Filtering: This option is more capable than TCP/IP packet filtering. However, administrators can use this type of filtering only when a server running Windows Server 2003 is configured as a router. By using this filter, you can use many criteria that TCP/IP filtering does not have. Some of the important capabilities of this type of filtering are as follows:
  • It can create filters based on the IP addresses, protocols, and port numbers of a packet’s source or destination.
  • It can create inclusive or exclusive filters.
  • It can create filters for ICMP messages, specified by the message type and code values.
  • It can create multiple filters of the same type.

Although packet filters can prevent a network from unauthorized intrusion, this technique cannot be used for safe and secure communications.