Note: Many topics at this site are reduced versions of the text in "The Encyclopedia of Networking and Telecommunications." Search results will not be as extensive as a search of the book's CD-ROM.

In the context of networks, filtering is a firewall-like process performed by screening routers. Most routers today have filtering functions. These routers evaluate information in a packet, such as the source and/or destination address, or application type (based on port number).

The basic filtering rule is "all that is not expressly permitted is denied." In other words, drop all packets except those that have been previously specified as being acceptable. Routers look inside packets and evaluate any of the following:

• Source addresses, to determine whether the source is allowed to access systems on the other side of the router. For example, you could block a competitor from accessing your Web site.


• Destination addresses, to restrict packets from reaching a particular system. For example, you could block all packets from the Internet that are addressed to systems that should only be accessed by internal users.


• Service ports, to prevent someone from using an application such as Telnet, FTP, SMTP, or other utilities that might pose a security threat to internal systems.


• SYN filtering, to prevent an external system from establishing internal connections. A TCP packet with SYN set is trying to establish a connection. If such a packet is received from the outside, it is dropped. Note that internal systems can still establish external connections. A SYN packet is allowed to go out, and the target system returns an SYN+ACK packet, which is allowed through the router. See "Connection Establishment" for additional details.

One reason for blocking IP addresses is to prevent spoofing attacks. A spoofed packet originates from an unknown/unauthorized source and contains a fake source address. The fake address makes the packet appear to be from a system on your own internal network or a trusted system. A screening router will drop such packets. How does it know a packet is spoofed? Simple: if the packet arrives on the external port with an internal source address, it is fake.

See "Firewall" for more information about filtering and advanced network security techniques.

Copyright (c) 2001 Tom Sheldon and Big Sur Multimedia.
All rights reserved under Pan American and International copyright conventions.