Use Proxy Server packet filters to restrict Internet traffic.
Restricting Traffic with Packet Filters
To ensure a secure network, you must prevent traffic between the private network and the Internet. This can be done by
specifying Proxy Server packet filters. Proxy Server packet filters affect the SOCKS proxy, Web proxy, and
WinSock proxy. You can create a combination of Proxy Server packet filters to address any security requirement. The
following image provides a global view of how Proxy Server packets can be used for security.
Packet filters apply to all packets that reach the Proxy Server's interfaces.
These filters can be applied to both inbound and outbound connections. Unlike the security approaches based on network service access controls, packet filters work at a lower level, and examine the IP and TCP headers to assess whether a packet should be forwarded or dropped immediately.
Packet filters are nonselective regarding what proxy service or security accounts are affected. For example, you cannot create custom packet filters that affect a particular user or group. Similarly, you cannot configure a packet filter that is applied only to the WinSock proxy service, but does not apply to the Web proxy service. Think of packet filters as being global in nature. They apply to a particular proxy server as a whole, and all traffic moving to and from that proxy server will be controlled by any extant packet filters.
Packet filter restrictions
Proxy Server packet filters are layer-two filters that affect the IP traffic received by Proxy Server. These
filters specify which IP packets are forwarded or rejected by Proxy Server. Proxy Server packet filters are important
networking tools because they restrict:
Traffic for all Proxy Server services
Both inbound and outbound traffic
Internet access to private network resources, such as servers
Private network user access to Internet-based resources, such as partner networks or Web sites
How to create packet filters
To create Proxy Server packet filters, you specify the source or destination IP address range and the protocol number of the packets to be filtered. You can also create a combination of filters (to address any security requirement); specify multiple filters for each interface.
Whether you create one filter or a combination of filters, you should base your packet filter design on criteria that apply to your particular situation. The criteria to consider are listed in this table:
The direction of the traffic that the filter must affect. You can specify traffic inbound to the private network, outbound for the Internet, or moving in both directions.
The IP protocol ID for the filter. You can specify TCP protocol ID, Internet Control Message Protocol (ICMP) protocol ID, or any protocol ID.
The TCP or UDP port number for the source if the packet originates from the private network, or the destination if the packet originates outside the private network.
You can specify any port number, a specific port number, or a range of unknown port numbers.
The TCP or UDP port number for the source if the packet originates outside the private network, or the destination if the packet originates inside the private network. You can specify any port number, a specific port number, or a range of unknown port numbers.
Local host IP address
The IP address of the computer on the private network that exchanges IP packets with the remote computer on the
Internet. Typically, this is the IP address of the proxy server. You can specify the default proxy server IP address, a specific IP address assigned to a proxy server interface, or the IP address of a computer on the private network.
Remote host IP address
The IP address of the remote computer on the Internet that exchanges IP packets with the computer on the private network. You can specify any IP address from the Internet, or the IP address of a specific computer on the Internet.
In the next lesson, you will learn how Proxy Server domain filters prevent unauthorized Internet access.