Learning Thread: Low level filtering_ How, why, what , when and where?

Discussion in 'other firewalls' started by Escalader, Sep 18, 2008.

Thread Status:
Not open for further replies.
  1. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    Okay here goes, I get to ask "dumb" questions and so do you posters!

    No vendor hype or bashing please , we are trying to learn here!

    1) What exactly is low level filtering in a firewall?

    2) Where does it or should it occur?

    3) When does it happen, incoming packets? outgoing? both?

    4) Doesn't my router do this for me so I don't have to think about it?

    5) Why should I worry about this it is so complicated so surely my SW FW does it for me, after all I paid for the product?

    6) I've heard of ARP what else is included in low level?
     
  2. risl

    risl Registered Member

    Joined:
    Dec 8, 2006
    Posts:
    581
    No idea, but my guess would be that it filters all packets in kernel level and not in user mode. So there should be a specific firewall driver doing the filtering?
     
  3. pandlouk

    pandlouk Registered Member

    Joined:
    Jul 15, 2007
    Posts:
    2,559
    I guess that you are using jetico?

    It depends on what are you reffering as low level protocol.
    At the lowest level are drivers, hardware, token ring and ethernet. In other words the hardware and the network interface. ;)


    Panagiotis
     
  4. Fly

    Fly Registered Member

    Joined:
    Nov 1, 2007
    Posts:
    2,069
    Most of this has been answered in past threads. ('search' :) )

    Low level filtering ? Maybe that's basic packet filtering ?

    4) I think the jury is still out on that. Or maybe a difference of 'opinion'/perspective ?
    5) For most people it's usually adequate and you shouldn't worry about that. (If you're on a network or have a wireless connection, make sure that's properly dealt with.)
    It gets more dangerous if you have an advanced firewall and create rules while you don't know what you're doing.
     
  5. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    It probably has been, but it's scattered all over, often in product specific posts. Some may find it useful if it were assembled in one place.

    IMO, defining "low level" filtering is where this would have to start, along with addressing a few questions.
    1. What qualifies as "low level"? Is this anything more than creative advertising?
    2. Is "low level filtering" any different than "deep packet inspection," "stateful inspection," or even the normal filtering that's done by most firewalls?
    3. How much does the definition of "low level" vary between the different vendors?.
    4. Assuming that it's not just an advertising gimmick, does it provide any substantial security gain in comparison to standard firewall filtering?
     
  6. Seer

    Seer Registered Member

    Joined:
    Feb 12, 2007
    Posts:
    1,596
    Location:
    Singidunum
    Filtering MACs (physical addresses) of network devices (NICs, routers). (Low=close to hardware). Nothing to do with advertising.

    What's "normal filtering"?
    SPI will look at packet header, DPI at the actual packet contents (payload). These two will occur at the Transport layer, where the IP protocol is. Low level filtering occurs at the lower, Network layer. Take a look at OSI model.

    On an untrusted LAN, low level filtering will prevent MAC spoofing.

    The concept of "low level filtering" is to bind a MAC address with a corresponding IP address on aa LAN. As every NIC/router will have different hardcoded MAC address, a user would need to bind these manually. Presumably, with appropriate tool, a firewall that can do this.
     
  7. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,696
    Hello,

    1) By low level filtering, I believe the idea is to check incoming traffic on layer 2 (icmp) and layer 3 levels (tcp, udp etc) and not on layer 4 - per application.

    2+3) It happens depending on the hardware setup. The filtering is mainly about inbound, as the assumption is that the system that sends packets can be trusted - hence the firewall that runs on it can work properly.

    However, if the firewall is not located on the monitored machine, but is a separate segment of the network, it could monitor everything, i.e. all passing traffic. This is the so-called promiscuous mode.

    4+5) No need to worry. Let the router / firewall do their job.

    6) Anything could be included, all depends on the hardware setup. In general, most "home" setups are restricted to the standard protocols (tcp, udp, icmp), maybe a few others. You also have enterprise level hardware that does a whole lot more.

    Mrk
     
  8. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    Hi Mrk , Stem et al:

    Here is a post with a lot written about ARP filtering. It does promote a particular China based FW but if you ignore the marketing part are the features listed/ implied valid?

    https://www.wilderssecurity.com/showthread.php?p=1321032
     
  9. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,696
    Hello,
    For most people, ARP attacks are a non-issue.
    I don't see why all of a sudden it has become such a hot cookie.
    Just use any ole firewall and you'll be fine.
    Mrk
     
  10. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    Hi Mrk:

    Agreed! Not sure it is all that hot an issue.

    For me it is just a matter of learning more about it. The thread is about learning about Low level filtering not just ARP! Maybe ARP is the least frequent matter at the Low Level? :doubt: If so that's fine!
     
  11. Fly

    Fly Registered Member

    Joined:
    Nov 1, 2007
    Posts:
    2,069
    Low level filtering is filtering MACs ?

    I won't claim to fully understand the technical stuff.

    Is this MAC filtering only done by the more advanced/expert firewalls, or do most common commercial firewalls (as part of a suite or as a seperate product) do that as well ?
     
  12. jrmhng

    jrmhng Registered Member

    Joined:
    Nov 4, 2007
    Posts:
    1,268
    Location:
    Australia
    Many home routers all you to filter based on MAC addresses.
     
  13. Fajo

    Fajo Registered Member

    Joined:
    Jun 13, 2008
    Posts:
    1,812
    Any Router can...

    the main problem is if the manufacture INCLUDES it in the firmware. :doubt:

    hence like what is in my sig, people find 3rd party firmware and use it. :D


    Edit.

    Sorry Huangker if I read your post wrong. if not there is the answer if so, sorry once again bro.
     
  14. Fly

    Fly Registered Member

    Joined:
    Nov 1, 2007
    Posts:
    2,069
    Is there any way to check whether it is in the firmware (other than calling the company) ?
     
  15. Fajo

    Fajo Registered Member

    Joined:
    Jun 13, 2008
    Posts:
    1,812
    use your router default address in IE or Firefox.

    Normally it could be this

    192.168.1.1
    192.168.100.1
    192.168.2.1

    those are the normal ones for routers. if you want to check it out on your own router.
     
  16. Fly

    Fly Registered Member

    Joined:
    Nov 1, 2007
    Posts:
    2,069
    I can access my router with a number like that.

    But how/where can I see if MAC filtering is applied ? What does it look like ?
     
  17. Fajo

    Fajo Registered Member

    Joined:
    Jun 13, 2008
    Posts:
    1,812
    It's something you would have to enable.

    To long to explain look up mac filtering on Google.
     
  18. Fajo

    Fajo Registered Member

    Joined:
    Jun 13, 2008
    Posts:
    1,812
    Here is a pic of what Mine looks like from one of my routers.

    ddwrt.JPG

    And

    ddwrt1.JPG

    Yours will look different but should have around the same wording.
     
  19. Fly

    Fly Registered Member

    Joined:
    Nov 1, 2007
    Posts:
    2,069
    Thanks, it could be that there is some kind of MAC filtering -but noting as obvious/clear as in your case.

    Maybe I'll look into it, if I can find the time.

    But I suppose it's not really necessary, since I have a software firewall.
     
  20. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
  21. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses

    Stem:

    Thanks, will go away for a while and study up....:cool:

    Others here may post I don't know...

    Escalader.
     
  22. Nebulus

    Nebulus Registered Member

    Joined:
    Jan 20, 2007
    Posts:
    1,582
    Location:
    European Union
    In my opinion, there are two possibilities to look at it: first, if "low level" is reffering to the protocols handled by the firewall, then it means that the filtering ocurrs at the ethernet level. Second, if "low level" refers to where is the firewall driver located in the OS protocol stack, then it means using a kernel driver (like NDIS intermediate driver).
     
  23. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    Hi Nebulus:

    I'll pass on your comment, sorry! I have not had time to study Stem's link on protocol base yet. Did you follow that link yet?
     
Loading...
Thread Status:
Not open for further replies.