Traffic Filtering Tools and Why They Are Used

In the era of digitalization, the internet has become the foundation for work, communication, and data storage. However, with the growing reliance on networks, the number of threats also increases: cyberattacks, data leaks, and infrastructure overload. Traffic filtering tools play a key role in ensuring security, controlling access, and optimizing network resources. In this article, we will delve into the technical aspects of traffic filtering: what it is, how different tools work, why they are needed, and which solutions are the most popular.

Linux VPS ServersDeploy a Cloud Linux Server
with Ubuntu, CentOS, Debian, or Oracle Linux presetGet Linux VPS

What is Traffic Filtering

Traffic filtering is the process of managing data flows in a network based on predefined rules and policies. It involves analyzing network packets, determining their characteristics (source, destination, protocol, content), and making decisions on whether to allow, block, or redirect them. This process relies on the OSI (Open Systems Interconnection) model, which describes the levels of interaction in networks.

Technical Mechanisms of Filtering

• Layer 3 (Network): Filtering based on IP addresses and protocols (e.g., IPv4, IPv6, ICMP). Devices inspect packet headers, such as source and destination, and apply rules like "block all packets from IP 192.168.1.100."
• Layer 4 (Transport): Analysis of ports and connection types (TCP, UDP). For example, traffic on port 80 (HTTP) can be allowed while blocking port 23 (Telnet).
• Layer 7 (Application): Deep Packet Inspection (DPI) allows analyzing the content of data, such as HTTP headers or payload. This enables blocking specific URLs or content types (e.g., MPEG video).

Example of Operation

Suppose the network receives a packet from IP address 10.0.0.1 to port 443 (HTTPS). The firewall checks the rules:

1. Is the source IP address allowed?
2. Is the destination port permitted?
3. Does the traffic comply with security policies (e.g., no suspicious patterns)? Based on the analysis, the packet is either allowed or rejected.

Traffic filtering provides protection against threats, data control, and bandwidth management, making it indispensable in modern networks.

Types of Traffic Filtering Tools

There are several categories of traffic filtering tools, each operating at different levels and addressing specific tasks. Let’s examine them from a technical perspective.

Firewalls

Firewalls are barriers between networks that filter traffic based on defined rules. They are divided into:

Types of Firewalls

Stateless:

• Evaluate each packet independently, without considering the connection context.
• Example rule: "Allow TCP packets from port 80 to IP 192.168.1.10."
• Advantage: High processing speed.
• Disadvantage: Vulnerability to attacks using packet fragmentation.

Stateful:

• Track the state of connections (e.g., "established," "closed") in a state table.
• Example: Allow incoming packets only in response to an outgoing request (protection against spoofing).
• Advantage: Higher security level.
• Disadvantage: Requires more resources to store states.

Technical Features

• Use ACL (Access Control Lists) — lists of rules specifying allowed or denied combinations of IP, ports, and protocols.
• Support NAT (Network Address Translation), converting internal IP addresses to public ones to mask the network.
• Can integrate VPN (Virtual Private Network) with encryption (e.g., IPsec or SSL).

Proxy Servers

Proxy servers act as intermediaries between clients and external resources, providing filtering and caching.

Mechanism of Operation

• The client sends a request (e.g., HTTP GET to a website).
• The proxy intercepts the request, checks its content (URL, headers), and applies filters.
• If access is allowed, the request is forwarded to the server, and the response is cached for faster future requests.

Types of Proxies

• Forward Proxy:
  • Hides the client, filters content (e.g., blocks websites on a blacklist).
• Reverse Proxy:
  • Protects servers, distributing load across multiple nodes using algorithms like Round-Robin or Least Connections.

Technical Details

• Operate at OSI Layer 7, using protocols like HTTP/HTTPS, SOCKS.
• Support SSL Inspection: Decrypt HTTPS traffic for analysis, then re-encrypt it.

Intrusion Prevention Systems (IPS)

IPS monitor traffic in real-time and block threats.

Detection Methods

Signature-Based:

• Compare packets to a database of signatures (e.g., SQL injection attack pattern: SELECT * FROM users WHERE id = '1' OR '1'='1').
• Fast detection of known threats.

Anomaly-Based:

• Create a baseline model of normal traffic (e.g., average requests per second) and detect deviations.
• Effective against new attacks but may produce false positives.

Technical Implementation

• Use TCP Reassembly: Reassemble fragmented packets to analyze the full payload.
• Integrate with SIEM systems for logging and incident analysis.

Traffic Shapers

Traffic shapers regulate bandwidth and prioritize traffic.

Operating Principles

• Classification:
  • Determine traffic type by protocols, ports, or applications (e.g., distinguish Zoom from YouTube).
• Queues:
  • Use algorithms like WFQ (Weighted Fair Queuing) or CBWFQ (Class-Based WFQ) to distribute bandwidth.
• Drop or Delay:
  • Discard or delay lower-priority packets (e.g., P2P traffic).

QoS (Quality of Service)

• Marking:
  • Assign labels to packets (e.g., DSCP or ToS) to indicate priority.
• Shaping:
  • Limit speed (e.g., 10 Mbps for streaming).
• Policing:
  • Strictly cut off traffic exceeding the limit.

Purpose

Traffic filtering addresses multiple tasks, ensuring network security and performance.

• DDoS Protection:
  • Block abnormally high traffic using request limits or behavior analysis (e.g., more than 1000 requests/second from one IP).
• Access Control:
  • Restrict traffic by geolocation, IP, or applications (e.g., block Telegram in a corporate network).
• Optimization:
  • Prioritize VoIP traffic (low latency, high priority) over background downloads.
• Regulatory Compliance:
  • Log and filter data access to comply with GDPR or PCI DSS.

Most Popular Tools

Let’s look at the market leaders with their technical characteristics.

Cisco ASA

• Features:
  • NAT, VPN (IPsec, SSL), DPI, protection against APT (Advanced Persistent Threats).
• Performance:
  • Up to 20 Gbps throughput.
• Special Features:
  • Support for FirePOWER modules for IPS and antivirus.

Palo Alto Networks

• NGFW:
  • Filtering by applications (e.g., allows only chat in Slack, blocking file transfers).
• Technologies:
  • DPI, machine learning for threat detection.
• Integration:
  • Cloud-based Panorama platform for management.

Fortinet FortiGate

• UTM:
  • Combines firewall, IPS, VPN, antivirus.
• ASIC Acceleration:
  • Hardware packet processing for high speed.
• Flexibility:
  • Suitable for SMB and large enterprises.

Check Point

• Software Blade:
  • Modules for IPS, VPN, application control.
• Performance:
  • Up to 100 Gbps with clustering.
• Management:
  • Centralized through SmartConsole.

Traffic filtering is a complex process that requires a deep understanding of network technologies and threats. Tools like firewalls, proxies, IPS, and traffic shapers provide protection, control, and optimization. The choice of solution depends on the tasks: Cisco ASA for scalability, Palo Alto for detailed filtering, Fortinet for versatility, and Check Point for flexibility. Regular rule updates and monitoring are critical to maintaining effectiveness in the face of evolving cyber threats.