1.  network appliances to filter network traffic  filter on header (largely based on layers 3-5) Internet Intranet

2. Destination IP Source IP Destination Port Source Port Flag (TCP-only) ACK - acknowledge FIN - final PSH - push RST - reset SYN - synchronize URG - urgent

3.  static packet filtering  dynamic packet filtering  stateful packet filtering  proxy server

4.  static packet filtering  Network manager configures access control lists  Packets are compared to access control lists packet  Example: block

5. Problems with static filtering Blocking FIN scanning Difficult to filter ICMP Internet Control Message Protocol - designed for Internet testing/maintenance - does not use ports - has type field 0 - echo reply 3 - destination unreachable 4 - source quench (from overloaded router) 5 - redirect (indicates a better path) 6 - echo request 9 - router advertisement (for new routers) 10 - router solicitation (host request for advertisement) 11 - time exceeded (packet header may include time) 12 - parameter problem (catch all for errors) 13 - time stamp request (checking link speed) 14 - time stamp reply

6.  dynamic packet filtering  Includes all capabilities of static filtering  Maintains an Active Sessions Table packet ACLs  Example: block external FIN scan

7.  stateful packet filtering  Includes all capabilities of dynamic filtering  Also “understands” certain application behavior packet ACLs  Example: better control over UDP, NFS, RPC Active Sessions Table

8.  proxy server  Messages to destination IP are rerouted to a proxy  The proxy communicates on behalf of the destination packet destination  The proxy may also communicate with destination