Learning Thread: Low level filtering_ How, why, what , when and where?

Okay here goes, I get to ask "dumb" questions and so do you posters!

No vendor hype or bashing please , we are trying to learn here!

1) What exactly is low level filtering in a firewall?

2) Where does it or should it occur?

3) When does it happen, incoming packets? outgoing? both?

4) Doesn't my router do this for me so I don't have to think about it?

5) Why should I worry about this it is so complicated so surely my SW FW does it for me, after all I paid for the product?

6) I've heard of ARP what else is included in low level?

 

No idea, but my guess would be that it filters all packets in kernel level and not in user mode. So there should be a specific firewall driver doing the filtering?

 

I guess that you are using jetico?

It depends on what are you reffering as low level protocol.
At the lowest level are drivers, hardware, token ring and ethernet. In other words the hardware and the network interface.


Panagiotis

 

Most of this has been answered in past threads. ('search' )

Low level filtering ? Maybe that's basic packet filtering ?

4) I think the jury is still out on that. Or maybe a difference of 'opinion'/perspective ?
5) For most people it's usually adequate and you shouldn't worry about that. (If you're on a network or have a wireless connection, make sure that's properly dealt with.)
It gets more dangerous if you have an advanced firewall and create rules while you don't know what you're doing.

 

It probably has been, but it's scattered all over, often in product specific posts. Some may find it useful if it were assembled in one place.

IMO, defining "low level" filtering is where this would have to start, along with addressing a few questions.

1. What qualifies as "low level"? Is this anything more than creative advertising?
2. Is "low level filtering" any different than "deep packet inspection," "stateful inspection," or even the normal filtering that's done by most firewalls?
3. How much does the definition of "low level" vary between the different vendors?.
4. Assuming that it's not just an advertising gimmick, does it provide any substantial security gain in comparison to standard firewall filtering?

 

Filtering MACs (physical addresses) of network devices (NICs, routers). (Low=close to hardware). Nothing to do with advertising.

What's "normal filtering"?
SPI will look at packet header, DPI at the actual packet contents (payload). These two will occur at the Transport layer, where the IP protocol is. Low level filtering occurs at the lower, Network layer. Take a look at OSI model.

On an untrusted LAN, low level filtering will prevent MAC spoofing.

The concept of "low level filtering" is to bind a MAC address with a corresponding IP address on aa LAN. As every NIC/router will have different hardcoded MAC address, a user would need to bind these manually. Presumably, with appropriate tool, a firewall that can do this.

 

Hello,

1) By low level filtering, I believe the idea is to check incoming traffic on layer 2 (icmp) and layer 3 levels (tcp, udp etc) and not on layer 4 - per application.

2+3) It happens depending on the hardware setup. The filtering is mainly about inbound, as the assumption is that the system that sends packets can be trusted - hence the firewall that runs on it can work properly.

However, if the firewall is not located on the monitored machine, but is a separate segment of the network, it could monitor everything, i.e. all passing traffic. This is the so-called promiscuous mode.

4+5) No need to worry. Let the router / firewall do their job.

6) Anything could be included, all depends on the hardware setup. In general, most "home" setups are restricted to the standard protocols (tcp, udp, icmp), maybe a few others. You also have enterprise level hardware that does a whole lot more.

Mrk

 

Hi Mrk , Stem et al:

Here is a post with a lot written about ARP filtering. It does promote a particular China based FW but if you ignore the marketing part are the features listed/ implied valid?

https://www.wilderssecurity.com/showthread.php?p=1321032

 

Hello,
For most people, ARP attacks are a non-issue.
I don't see why all of a sudden it has become such a hot cookie.
Just use any ole firewall and you'll be fine.
Mrk

 

Hi Mrk:

Agreed! Not sure it is all that hot an issue.

For me it is just a matter of learning more about it. The thread is about learning about Low level filtering not just ARP! Maybe ARP is the least frequent matter at the Low Level? If so that's fine!

 

Low level filtering is filtering MACs ?

I won't claim to fully understand the technical stuff.

Is this MAC filtering only done by the more advanced/expert firewalls, or do most common commercial firewalls (as part of a suite or as a seperate product) do that as well ?

 

Many home routers all you to filter based on MAC addresses.

 

Any Router can...

the main problem is if the manufacture INCLUDES it in the firmware.

hence like what is in my sig, people find 3rd party firmware and use it.


Edit.

Sorry Huangker if I read your post wrong. if not there is the answer if so, sorry once again bro.

 

Is there any way to check whether it is in the firmware (other than calling the company) ?

 

use your router default address in IE or Firefox.

Normally it could be this

192.168.1.1
192.168.100.1
192.168.2.1

those are the normal ones for routers. if you want to check it out on your own router.

 

I can access my router with a number like that.

But how/where can I see if MAC filtering is applied ? What does it look like ?

 

It's something you would have to enable.

To long to explain look up mac filtering on Google.

 

Here is a pic of what Mine looks like from one of my routers.



And



Yours will look different but should have around the same wording.

 

Thanks, it could be that there is some kind of MAC filtering -but noting as obvious/clear as in your case.

Maybe I'll look into it, if I can find the time.

But I suppose it's not really necessary, since I have a software firewall.

 

Hi Escalader,

I would suggest you first having a look at the various protocol layers:- http://www.protocolbase.net/protocols.php


- Stem

 

Stem:

Thanks, will go away for a while and study up....

Others here may post I don't know...

Escalader.

 

In my opinion, there are two possibilities to look at it: first, if "low level" is reffering to the protocols handled by the firewall, then it means that the filtering ocurrs at the ethernet level. Second, if "low level" refers to where is the firewall driver located in the OS protocol stack, then it means using a kernel driver (like NDIS intermediate driver).

 

Hi Nebulus:

I'll pass on your comment, sorry! I have not had time to study Stem's link on protocol base yet. Did you follow that link yet?