DistributedNetworks DistributedNetworks


Secure Proxy Server  «Prev  Next»
Lesson 5 Restricting traffic with packet filters
Objective Use Proxy Server packet filters to restrict Internet traffic.

Restricting Traffic with Packet Filters

To ensure a secure network, you must prevent traffic between the private network and the Internet. This can be done by specifying Proxy Server packet filters. Proxy Server packet filters affect the SOCKS proxy, Web proxy, and WinSock proxy. You can create a combination of Proxy Server packet filters to address any security requirement. The following image provides a global view of how Proxy Server packets can be used for security.
Proxy Server packet filters
Proxy Server packet filters

Packet filters apply to all packets that reach the Proxy Server's interfaces. These filters can be applied to both inbound and outbound connections. Unlike the security approaches based on network service access controls, packet filters work at a lower level, and examine the IP and TCP headers to assess whether a packet should be forwarded or dropped immediately.
Packet filters are nonselective regarding what proxy service or security accounts are affected. For example, you cannot create custom packet filters that affect a particular user or group. Similarly, you cannot configure a packet filter that is applied only to the WinSock proxy service, but does not apply to the Web proxy service. Think of packet filters as being global in nature. They apply to a particular proxy server as a whole, and all traffic moving to and from that proxy server will be controlled by any extant packet filters.

Packet filter restrictions

Proxy Server packet filters are layer-two filters that affect the IP traffic received by Proxy Server. These filters specify which IP packets are forwarded or rejected by Proxy Server. Proxy Server packet filters are important networking tools because they restrict:
  1. Traffic for all Proxy Server services
  2. Both inbound and outbound traffic
  3. Internet access to private network resources, such as servers
  4. Private network user access to Internet-based resources, such as partner networks or Web sites

How to create packet filters

To create Proxy Server packet filters, you specify the source or destination IP address range and the protocol number of the packets to be filtered. You can also create a combination of filters (to address any security requirement); specify multiple filters for each interface.
Whether you create one filter or a combination of filters, you should base your packet filter design on criteria that apply to your particular situation. The criteria to consider are listed in this table:

Criteria Explanation
Direction The direction of the traffic that the filter must affect. You can specify traffic inbound to the private network, outbound for the Internet, or moving in both directions.
Protocol ID The IP protocol ID for the filter. You can specify TCP protocol ID, Internet Control Message Protocol (ICMP) protocol ID, or any protocol ID.
Local port The TCP or UDP port number for the source if the packet originates from the private network, or the destination if the packet originates outside the private network. You can specify any port number, a specific port number, or a range of unknown port numbers.
Remote port The TCP or UDP port number for the source if the packet originates outside the private network, or the destination if the packet originates inside the private network. You can specify any port number, a specific port number, or a range of unknown port numbers.
Local host IP address The IP address of the computer on the private network that exchanges IP packets with the remote computer on the Internet. Typically, this is the IP address of the proxy server. You can specify the default proxy server IP address, a specific IP address assigned to a proxy server interface, or the IP address of a computer on the private network.
Remote host IP address The IP address of the remote computer on the Internet that exchanges IP packets with the computer on the private network. You can specify any IP address from the Internet, or the IP address of a specific computer on the Internet.

In the next lesson, you will learn how Proxy Server domain filters prevent unauthorized Internet access.

Restrict Packet Filter - Quiz

Click the Quiz button to check your understanding of when and how to use packet filters. Restrict Packet Filter - Quiz