17-08-2012, 12:31 PM
Report on Firewalls
concept of firewall.pdf (Size: 1.08 MB / Downloads: 267)
Stateful Firewalls
THE FOCUS OF THIS CHAPTER IS ON STATEFUL firewalls, a type of firewall that attempts
to track the state of network connections when filtering packets.The stateful firewall’s
capabilities are somewhat of a cross between the functions of a packet filter and the
additional application-level protocol intelligence of a proxy. Because of this additional
protocol knowledge, many of the problems encountered when trying to configure a
packet-filtering firewall for protocols that behave in nonstandard ways (as mentioned in
Chapter 2,“Packet Filtering”) are bypassed.
This chapter discusses stateful filtering, stateful inspection, and deep packet inspection,
as well as state when dealing with various transport and application-level protocols.We
also demonstrate some practical examples of how several vendors implement state tracking
as well as go over examples of such firewalls.
How a Stateful Firewall Works
The stateful firewall spends most of its cycles examining packet information in Layer 4
(transport) and lower. However, it also offers more advanced inspection capabilities by
targeting vital packets for Layer 7 (application) examination, such as the packet that initializes
a connection. If the inspected packet matches an existing firewall rule that permits
it, the packet is passed and an entry is added to the state table. From that point
forward, because the packets in that particular communication session match an existing
state table entry, they are allowed access without call for further application layer inspection.
Those packets only need to have their Layer 3 and 4 information (IP address and
TCP/UDP port number) verified against the information stored in the state table to
confirm that they are indeed part of the current exchange.This method increases overall
firewall performance (versus proxy-type systems, which examine all packets) because
only initiating packets need to be unencapsulated the whole way to the application layer.
The Concept of State
One confusing concept to understand when discussing firewall and TCP/IP communications
is the meaning of state.The main reason this term is so elusive is that it can mean
different things in different situations. Basically, state is the condition of being of a given
communication session.The definition of this condition of being for a given host or session
can differ greatly, depending on the application with which the parties are communicating
and the protocols the parties are using for the exchange.
Transport and Network Protocols and State
Transport protocols can have their connection’s state tracked in various ways. Many of
the attributes that make up a communication session, including IP address and port pairings,
sequence numbers, and flags, can all be used to fingerprint an individual connection.
The combination of these pieces of information is often held as a hash in a state
table for easy comparison.The particulars depend on the vendor’s individual implementation.
However, because these protocols are different, so are the ways the state of their
communications can be effectively tracked.
UDP and State
Unlike TCP, UDP is a connectionless transport protocol.This makes the tracking of its
state a much more complicated process. In actuality, a connectionless protocol has no
state; therefore, a stateful device must track a UDP connection in a pseudo-stateful manner,
keeping track of items specific to its connection only. Because UDP has no
sequence numbers or flags, the only items on which we can base a session’s state are the
IP addressing and port numbers used by the source and destination hosts. Because the
ephemeral ports are at least somewhat random, and they differ for any connection coming
from a given IP address, this adds a little bit of credence to this pseudo-stateful
method of session tracking. However, because the UDP session is connectionless, it has
no set method of connection teardown that announces the session’s end. Because of this
lack of a defined ending, a state-tracking device will typically be set up to clear a UDP
session’s state table entries after a preconfigured timeout value (usually a minute or less)
is reached.This prevents entries from filling the table.
Application-Level Traffic and State
We have covered in some detail the ways that state can be tracked at the transport and
network protocol levels; however, things change when you are concerned about the state
of the entire session.When a stateful device is deciding which traffic to allow into the
network, application behaviors must be taken into account to verify that all sessionrelated
traffic is properly handled. Because the application might follow different rules
for communication exchanges, it might change the way that state has to be considered
for that particular communication session. Let’s look at an application that uses a standard
communication style (HTTP) and one that handles things in a nonstandard way (FTP).