A firewall can use packet filtering to limit information entering a network,
or information moving from one segment of a network to another. Packet
filtering uses access control lists (ACLs), which allow a firewall to accept or
deny access based on packet types and other variables.
This method is
effective when a protected network receives a packet from an unprotected
network. Any packet that is sent to the protected network and does not fit the
criteria defined by the ACLs is dropped.
However, there are problems with
packet filtering:
- Arbitrary packets can be sent that fit the ACL criteria and, therefore,
pass through the filter.
- Packets can pass through the filter by being fragmented.
- Complex ACLs are difficult to implement and maintain correctly.
- Some services cannot be filtered.