Ingress Filtering
Ingress Filtering Definition
Ingress filtering, also called inbound filtering, is a network security method that checks incoming traffic for valid source information before it enters a network. In networking, “ingress” means incoming.
Ingress filtering applies specific rules at a router or firewall to decide which data packets to let pass through and which to drop. These rules usually check whether a packet’s source IP address matches an approved address range. They can also check details such as the destination address, protocol, and port.
How Ingress Filtering Works
Ingress filtering uses a pass-or-drop check at the network edge. A router or firewall compares the source IP address on an incoming packet with the address ranges expected on that connection. If the packet matches, the device forwards it. If the packet uses a forged address, a reserved address, a private address on public internet traffic, or another source outside the expected range, the device drops it.
Network operators often apply ingress filtering where one network connects to another, such as the point where a customer network connects to an internet service provider (ISP). Multihomed networks, which connect to more than one ISP, need more careful filtering rules to avoid blocking legitimate traffic.
Common Uses of Ingress Filtering
- IP spoofing protection: Blocks packets that use forged source addresses.
- Distributed denial-of-service (DDoS) mitigation: Reduces attack traffic that uses IP address spoofing, though it doesn’t stop floods from valid addresses.
- Network access control: Limits incoming traffic to approved sources, services, or protocols.
- Source validation: Checks whether incoming packets come from expected address ranges before forwarding them.
Ingress Filtering vs Egress Filtering
Ingress filtering checks traffic entering a network, while egress filtering checks traffic leaving a network. Ingress rules help keep unwanted or spoofed traffic out. Egress rules help stop internal systems from sending unauthorized traffic, leaking data, or taking part in attacks. Many networks use both methods to control traffic at the network edge.
Read More
FAQ
Ingress filtering checks incoming traffic before it enters a network. It reviews packet details, such as the source IP address, and blocks traffic that doesn’t match approved rules. This helps stop spoofed packets, unauthorized sources, and some attack traffic from reaching internal systems.
Ingress filtering can block packets with spoofed IP addresses, reserved addresses, private addresses, or sources that don’t match routing rules. Network teams can also create rules for ports, protocols, or traffic sources.
No, ingress filtering and egress filtering control traffic in opposite directions. Ingress filtering checks incoming traffic, while egress filtering checks outgoing traffic. It’s common for networks to implement both ingress and egress filtering for enhanced security.
No. Ingress filtering reduces attacks that rely on IP address spoofing, including some denial-of-service (DoS) traffic. It doesn’t stop every flood, scan, or unauthorized request, so networks usually use it with other security controls.
45-Day Money-Back Guarantee