We rely on access lists to allow or deny traffic flows through our networks. In this video, you’ll learn about content filters, URL filters, and firewall rules.
<< Previous: Using Secure ProtocolsNext: Wireless Security >>
There are many different ways to filter information as it’s passing through the network. If you want to keep your network secure, then you’re going to want to take advantage of access lists. A content filter includes a set of access lists that determines whether information is allowed or blocked, and it’s usually making this determination on what is inside of the packets themselves. In large organizations, you commonly see content filters being used to allow or disallow information going from the inside to the outside or vice versa.
Perhaps you’re preventing sensitive materials from being transferred out of your organization or maybe you’re using content filters at home to prevent inappropriate information from being shown in a browser. These are very useful for things like parental controls. You can also use access lists inside of your content filters to prevent anyone from going to known bad websites. There are a number of websites out there that do nothing but provide malware and viruses for your computers, so by simply adding one additional URL entry in your content list, you can prevent anybody from visiting these bad sites.
A very common type of access list in a content filter is a URL. This stands for uniform resource locator. You might also hear it referred to as a URI or uniform resource identifier. These URL filters are designed to allow or block based on what the URL happens to be. That’s the only content we’re really looking at is what’s in the address bar that’s being sent out.
These lists are generally managed by category. Instead of you having to know every single URL and manage all of them individually, you simply roll them up into broad categorizations such as auctioning, maybe known hacking sites or known malware sites, travel sites, recreation sites. You have complete control over what categories are allowed and what categories are blocked. URLs are, of course, just one particular criteria that you could use.
But you could set up some very broad access lists that might allow or disallow access to particular sites. You should be aware of the technology used in your URL filter. Some do a very good job at blocking encrypted data while others have no visibility into anything going across the network that might be encrypted. You’ll need to check with your URL filter to determine how much of this information it’s really going to be able to see. The access list inside of a firewall can be based on a number of different criteria.
It’s common to see these groupings of criteria, which we call tuples, being things like a source IP address, a destination IP address, a port number. It could be time of day or a particular application in use. And you can use any one or combination of these tuples to determine do we allow information to pass through the firewall or do we block it right at the firewall. The access list in a firewall is usually something that is evaluated from the very top and then it steps through the list all the way to the very bottom.
So as traffic is coming into the firewall, that packet is evaluated across the first item in the list. If nothing matches inside of that item, it goes to the next set. If nothing matches in that one, it goes to the next set. And it goes through each one of these access lists until it finds one that matches this particular kind of traffic. And then there’s usually a disposition of that access list that says that this traffic matches this particular rule and we’re going to either allow or disallow it through the firewall.
If we go all the way through the list on the firewall and we never match any of the rules that are inside, most firewalls are configured with something called an implicit deny. That means if there’s not a specific rule that allows that traffic through the firewall, it’s going to be always denied once it goes through the entire evaluation list. Here’s a rule set for a firewall that I took from a web service that I was using. The ISP had already configured the firewall and said here are the rules that we set up by default for your web server.
If we start evaluating this from the top to bottom, we’ll look at the first rule, and the first rule says if there is any remote IP address from any remote port going to our local port 22 on our device, then we’re going to allow that traffic through. That’s probably set up for an SSH connection on this server. The next three are for our web services. Rule two says from any remote IP, from any remote port number, if somebody is hitting our server on TCP port 80, we’re going to allow that traffic.
That obviously is to allow our web services. The next is port 443 and that’s for our encrypted web services. The next one is for port 8443 and for this particular server, there is web management that is provided in an encrypted form on this particular port, and that’s why we have an allow rule so that I as the administrator can connect to this device over that particular port number in my browser and access the administration capabilities of that web server.
We’ve got two more rules. We have rule number five which is port 53. And if anybody is coming from port 53 over UDP to any local port, allow that. That’s going to allow DNS services to our server. And rule six is for remote port 123 which is normally used for time services.
We can also see seven which has a remote IP address of All and there’s no port numbers because this one is using a different protocol, ICMP, which does not have port numbers associated with it. That would allow ping and the ability to determine if that server was alive or not. And that is also allowed. So if any traffic is passing into my server and it doesn’t match any of these access list rules in my firewall, I’m going to have an implicit deny at the bottom and all other traffic will be dropped.