The Inspection Process

The inspection of TCP/IP packets is a multi-step procedure. What follows is a summary of the steps, not necessarily in order :

1. A packet arrives at the outside interface. It is checked for permitted or denied ports and IP addresses. Note that stateful inspection firewalls require both a port and an IP address. IP addresses can be in the form of a single machine, group of IP addresses, or “any,” meaning any valid IP address on the specified network.

2. The firewall checks the source IP address for validity.This feature prevents spoofed packets from being transmitted, by allowing only packets whose source addresses match the subnet of the firewall’s incoming interface or routing table.Therefore, if the packet has inconsistent information concerning its origins, it is unlikely that it is legitimate and is dropped.

3. The firewall compares the ports and addresses to the ACL, and either clears the packet for further processing or drops the packet.

4. The packet’s from and to addresses, as well as other tracking information, is recorded in a table for reference when a return packet is sent. Stateful inspection firewalls keep track of who is talking to whom.This is extremely important for the correct use and protection of the dynamic ports. Should the packet be part of an ongoing connection, there is an entry in the connection table and the packet information is compared to the table for consistency.

5. If the packet is a well-known protocol such as SMTP (Internet mail), HTTP (Web), or FTP (file transfer), the packet may be checked against the IANA standards or a vendors private standards for compliance.This insures that packets containing malformed data are dropped and do not reach the servers where they may cause harm.This is not, however, equivalent to the application proxy’s inspection of packet data. Application proxies inspect data contained in the packet to conform to a specific application’s requirements and rewrite the packet. Stateful inspection firewalls simply look for standards compliance and only address translation.They do not wholesale rewrite the packet.They are not application-specific nor do all stateful inspection firewalls perform this type of check.

6. Finally, the firewall rewrites the destination IP address from the valid Internet address to the private address, and sends it on its way.

Packets sent from the inside to the outside follow a similar process:

1. The firewall checks for a valid IP address and permitted IP address destinations. By default, most firewalls assume that a higher security interface is permitted to access any location outside the firewall. However, this can be overridden and best practices suggest doing this (see article 4).

2. A comparison is done between the outgoing packet parameters and the entries in the connection table.The firewall confirms that the entries match and that the packet is headed to the appropriate destination.

3. The firewall may confirm the outgoing protocols, although in most cases, firewalls assume that trusted networks use valid protocols.

4. Addresses are translated and the packet is sent on its way to the destination.

Stateful Inspection Gateway Features

Let’s take a look at some of the features that make the Stateful Inspection Firewall so popular. While not every model of firewall will contain all, or even most of these features, some will be in nearly every one:

- Purpose-built OS Eliminates the weaknesses found in most general OSs. Because the firewall’s OS has a single purpose filter TCP/IP traffic from one interface to another it does not have extras that could be leveraged as a point of entry for compromise. It also means that the OS that does the filtering can be separated completely from a Graphical User Interface (GUI) interface for configuration and maintenance.

- Connection Table The method the firewall uses to provide stateful packet filtering, which analyzes each packet to ensure that only legitimate traffic traverses the interface.This is the module that maintains the connection table and validates destination and source addresses.

- Universal Resource Locator (URL) Filtering Can limit URLs accessed by the user’s base on a policy defined by the network administrator or a security policy.This feature can be considered a reverse proxy. Users inside the firewall can be prevented from accessing certain Web sites based on the address of the Web site.

- Content Filtering Can block ActiveX or Java applets.This is a simplistic application filter that is beginning to blur the line between application proxies and gateways.The firewall can block either specific ActiveX and/or Java applets, or all such applets.

- Network Address Translation (NAT) and Port Address Translation (PAT) Hides internal addressing from the Internet and makes more efficient use of private address space. As stated above, this is the standard for gateways. As both a security measure and a way to extend a limited Internet address space, NAT turns valid Internet addresses into private addresses. PAT can be used to redirect a standard port (e.g., HTTP Port 80) to a nonstandard port (Port 8080).This is often used for security or to mask the service from other internal machines.

- Cut-through Proxy Authenticates users accessing resources through the firewall.With a single authentication event, the firewall permits users to access file and print services that would otherwise be inaccessible outside the firewall.

- VPN Capable of handling mobile user access and site-to-site VPNs utilizing Data Encryption Standard (DES), 3DES, and Advanced Encryption Standard (AES) methods.Thus, a mobile user creates an encrypted “tunnel” from his computer to the firewall, permitting secure access to the resources behind the firewall, as if the computer was physically behind the firewall.

- Intrusion Detection Enables the firewall to protect against various forms of malicious attacks, as well as the ability to identify attacks via attack “signatures.” Yet another feature that makes the stateful inspection firewall appear a bit like an application proxy. Remember, these are general validations of the protocols and are not specific for a given application. Application proxy firewalls are written for specific applications and do much more precise checks on each data packet.

- DHCP Can act as a DHCP client and/or server. While not so much a security feature, it provides the opportunity to automatically assign IP addresses to machines inside the firewall, which eliminates the need for a second device.There are some arguments against using this feature, because if an intruder gains access to your private network and is able to automatically obtain a valid IP address, it makes it much easier to begin the malicious work. (If an intruder has access to your private network, you have much larger concerns.)

- Routing Functionality Can support static routes, Routing Information Protocol (RIP), and Open Shortest Path First (OSPF). Not strictly a security feature, but an elimination of other network appliances that must be maintained.

Support for Remote Authentication Dial-in User Server/Service (RADIUS) or Terminal Access Controller Access Control System Plus (TACACS+)

Authenticating, authorizing, and accounting for users passing through the firewall, or to enable authentication for those connecting to the management interfaces. RADIUS and TACACS+ are basic, cross-platform authentication services that eliminate the need to maintain multiple sets of usernames and passwords that increase security.

- Failover Provides a resilient, high-availability solution in case of failure.A network is only useful if it is available. Providing failover not only protects against hardware failure, but also against failure due to a DoS attack or other non-destructive interruption of service. Pros Stateful inspection firewalls are the best balance between the performance of a packet filter and the security of an application proxy.There’s a wide selection of these firewalls available and they have few, if any drawbacks.