An Architecture for Advanced Packet Filtering
Andrew Molitor
<amolitor@network.com>
Network Systems Corporation
7600 Boone Ave.
Broklyn Park, MN 55428
Abstract
Packet filtering in routers has been underrated as anything but an
adjunct to other network security measures. This paper presents an
architecture, and an implementation of it, for packet filtering that
addresses many of the perceived problems with packet
filtering. Starting from a short discussion of what constitutes a
network access policy, the paper makes a case for extremely flexible
packet filtering as an integral part of an access policy. After
briefly examining a couple of commonly used packet filtering
implementations, the paper goes on to describe a more flexible
architecture for packet filtering, and gives some examples of how the
implementations of this architecture can be used. After a discussion
of how the architecture and the implementations better support
auditing and assurance procedures for a network access policy, the
paper finishes with a description of some of the more architecturally
interesting planned future development.
Download the full text of this paper in
ASCII (38,105 bytes),
POSTSCRIPT (147,314 bytes),
and PDF (281,813 bytes) form.
To Become a USENIX Member, please see our
Membership Information.