Recent years have witnessed an explosive growth in the use of computer networks. In fact, the use of computer networks to connect disparate computer systems around the world has become a routine and accepted fact. One result of the ever-increasing use of computer networks is an ever-increasing need for security systems.
Computer networks that use the Internet protocol are commonly referred to as "IP networks." Within IP networks, host systems and other objects are identified by thirty-two bit numbers, known as Internet Protocol Addresses (IP addresses). IP addresses provide a simple mechanism for identifying the source and destination of messages sent within IP networks. Unfortunately, several methods exist that allow IP addresses to be falsified, or forged. By forging an IP address, a malicious user may usurp messages within the IP network, possibly gaining access to sensitive information. Forging IP address also allows malicious users to send bogus messages. These messages can easily have a negative impact on network security if a receiving system accepts them as genuine. In a general sense, the possibility that IP addresses may be forged forces systems within IP networks to assume that IP addresses are unreliable.
The unreliability of IP addresses has also discouraged the development and use of programs known as "packet filters." More specifically, packet filters are programs that are positioned at key points within an IP network, such as within network routers. Packet filters examine packets that cross these key points and discard those packets that appear to present a threat to network security.
An example of packet filtering would be a company that uses a router to link its internal intranet with an external network, such as the Internet. In such a network, a packet filter positioned within the router could inspect the header of each received packet to determine the address of the system sending the packet. Clearly, in this case, packets that arrive from the Internet but that have source addresses that correspond to addresses of systems within the company intranet are suspect. A packet filter included in a router would, therefore, discard packets of this type.
The preceding example of a packet filter works well because it assumes that the source address included in a IP packet may be forged. In fact, the example packet filter is designed to detect this type of forged source address. Unfortunately, the unreliability of IP addresses has, to some extent, discouraged a more generalized use of packet filtering systems.