IP Address spoofing Countermeasure: Discard packets with an inside source address if the packet arrives on an external interface.
Source routing attacks countermeasure: Discard all packets in which the source destination specifies the route.
Tiny Fragment Attack Countermeasure: Enforcing a rule that the first fragment of a packet must contain a predefined minimum amount of the transport header.
Tightens rules for TCP traffic by creating a directory of TCP connections
– there is an entry for each currently established connection
– Packet filter will allows incoming traffic to high-numbered ports only for those packets that fit the profile of one of the entries in this directory
Reviews packet information but also records information about TCP connections
– Keep track of TCP sequence numbers to prevent attacks that depend on the sequence number
– Inspects data for protocols like FTP, IM, and SIPS commands
Application-Level Gateway
Also called an application proxy
Acts as a relay of application-level traffic(basically a man or system in the middle)
User -> Gateway -> RemoteHost
Must have proxy code for each application
– may restrict application features supported
– tend to be more secure than packet filters
Disadvantage
– Additional processing overhead on each connection
