Installing and Administering PPP
Chapter 5 89
Security Techniques
Static Packet Filtering
Static Packet Filtering
We recommend that you establish a security policy before you write a
packet filter. A security policy is a statement based on thorough analysis
of access needs, vulnerabilities, and real, or perceived, threats to your
assets. You must identify the types of network traffic associated with
these issues before you can create a packet filter that supports your
security policy.
The Foundations of Security Policies
In general, all security policies are based on one of two opposing
strategies. Both types of policies are supported by PPP filters.
The first strategy permits a few specific services and blocks everything
else. If you follow this philosophy, a service will be unavailable if you
commit an error of omission. This is a fail-safe, or closed, policy.
The second strategy blocks only specific services and permits everything
else. If you begin from this premise, an error of omission may leave you
unintentionally vulnerable when a fragile service is not blocked.
If you need aid in developing security policies, or would like more general
information about network security and packet filtering, you should
begin by reading two books, Firewalls and Internet Security by Bill
Cheswick and Steve Bellovin and Building Internet Firewalls by Brent
Chapman and Elizabeth Zwicky.
Filter File Rulesets
When pppd starts, the software checks for a filter file. If one is present,
it is parsed and installed. The default filter filename for pppd is Filter.
If you want to give the file a different name, specify the new name as the
argument for the pppd ‘filter’ option. Only add the filter option if you
want to change the name of the filter file.
A filter file contains rulesets for filtering packets. Each ruleset begins
with one of the following:
• an IP address
• a hostname