Extended Slovník

Filtering

Filtering in cybersecurity refers to the process of controlling the flow of data traffic based on predefined rules, criteria, or policies to permit, deny, or redirect specific content or connections.

What is filtering in cybersecurity?

Filtering in cybersecurity is a fundamental security mechanism used to protect networks, systems, and data by examining incoming and outgoing information traffic and applying rules to allow or block it. This process involves analysing data packets, URLs, email content, DNS queries, or application-layer data against predefined criteria—such as IP addresses, port numbers, protocols, content patterns, or threat signatures—to determine whether the traffic should be permitted, denied, or redirected.

Filtering can be implemented through a wide range of technologies, including:

  • Firewalls – Inspect network packets and enforce access control rules at the network perimeter or between segments.
  • Proxy servers – Act as intermediaries that filter web traffic based on URL categories, content types, or reputation scores.
  • DNS resolvers – Block access to known malicious or unwanted domains at the DNS resolution level.
  • Email gateways – Scan inbound and outbound emails for spam, phishing attempts, malware attachments, and policy violations.
  • Endpoint security solutions – Apply filtering rules directly on user devices to control application behaviour and network connections.

Organisations such as NIST and CISA recommend filtering as a core component of any layered cybersecurity strategy.

Why is filtering important for cybersecurity?

Filtering serves as one of the first lines of defence in a security architecture. Its importance stems from several critical functions:

  • Preventing unauthorised access: By blocking traffic from untrusted sources or to restricted destinations, filtering limits the attack surface available to threat actors.
  • Blocking malicious content: Filtering identifies and stops malware, ransomware, phishing emails, and exploit kits before they reach end users or critical systems.
  • Enforcing acceptable use policies: Organisations can restrict access to inappropriate, non-productive, or high-risk websites and services.
  • Managing network bandwidth: By controlling the types of traffic allowed on a network, filtering helps optimise performance and prevent abuse.
  • Regulatory compliance: Many industry standards and regulations—referenced by frameworks from NIST and guidelines from OWASP—require filtering controls to protect sensitive data.

Without effective filtering, organisations are significantly more exposed to data breaches, network intrusions, and operational disruptions.

How does network traffic filtering protect systems?

Network traffic filtering operates at various layers of the OSI model to inspect and control data flow:

  1. Packet filtering (Layer 3–4): Examines individual packets based on source/destination IP addresses, port numbers, and protocols. For example, a firewall performing packet filtering can block all traffic from known malicious IP addresses, preventing attackers from establishing connections to internal systems.
  2. Stateful inspection (Layer 4): Tracks the state of active connections and makes decisions based on the context of the traffic session, not just individual packets.
  3. Application-layer filtering (Layer 7): Analyses the actual content and behaviour of traffic, such as HTTP requests, file transfers, or database queries, to detect sophisticated threats that bypass lower-layer controls.
  4. Content filtering: An email gateway using content filtering can quarantine emails containing spam or phishing links, preventing users from interacting with social engineering attacks.

By combining multiple filtering approaches, organisations create a defence-in-depth strategy recommended by SANS Institute, where threats must bypass several inspection points before reaching critical assets.

When should deep packet inspection filtering be used?

Deep packet inspection (DPI) is an advanced form of filtering that examines the full payload of network packets rather than just header information. DPI should be considered in the following scenarios:

  • High-security environments: Government networks, financial institutions, and healthcare organisations that handle highly sensitive data benefit from DPI's ability to detect encrypted threats and advanced persistent threats (APTs).
  • Compliance-driven industries: When regulations demand granular visibility into network traffic for audit and forensic purposes.
  • Threat hunting and incident response: Security operations centres (SOCs) use DPI to identify indicators of compromise (IoCs) hidden within seemingly normal traffic flows.
  • Application control: When organisations need to enforce policies on specific application behaviours, such as preventing data exfiltration through allowed services.

However, DPI is resource-intensive and can introduce latency. It should be deployed strategically at critical network junctions rather than across every segment, and privacy considerations must be carefully addressed.

Which type of filtering is best for small businesses?

Small businesses often have limited budgets and IT resources, so the ideal filtering solution should balance effectiveness, simplicity, and cost. The following approaches are particularly well-suited:

  • DNS filtering: One of the easiest and most cost-effective solutions. By configuring DNS resolvers to block known malicious and unwanted domains, small businesses gain broad protection with minimal configuration and maintenance.
  • Unified Threat Management (UTM) firewalls: These all-in-one appliances combine packet filtering, web content filtering, email filtering, and intrusion prevention in a single device—ideal for organisations that cannot manage multiple standalone solutions.
  • Cloud-based email filtering: Services that scan emails before they reach the organisation's mail server, eliminating spam, phishing, and malware without requiring on-premises infrastructure.
  • Managed security services: Outsourcing filtering to a managed security service provider (MSSP) allows small businesses to benefit from enterprise-grade protection without the overhead of in-house expertise.

As recommended by CISA, even basic filtering—when properly configured and regularly updated—dramatically reduces the risk of common cyber threats that disproportionately affect small businesses.

← Back to Glossary