Stateful firewall
Encyclopedia
In computing
, a stateful firewall (any firewall that performs stateful packet inspection (SPI) or stateful inspection) is a firewall that keeps track of the state of network connections (such as TCP
streams, UDP
communication) traveling across it. The firewall is programmed to distinguish legitimate packets for different types of connections. Only packets matching a known active connection will be allowed by the firewall; others will be rejected.
(layer 3) and function more efficiently because they only look at the header
part of a packet. A drawback of pure packet filters is that they are stateless; they have no memory of previous packets which makes them vulnerable to spoofing attack
s. Such a firewall has no way of knowing if any given packet is part of an existing connection, is trying to establish a new connection, or is just a rogue packet. Modern firewalls are connection-aware (or state-aware), offering network administrators finer-grained control of network traffic.......
The classic example of a network operation that may fail with a stateless firewall is the File Transfer Protocol
(FTP). By design, such protocols need to be able to open connections to arbitrary high ports to function properly. Since a stateless firewall has no way of knowing that the packet destined to the protected network (to some host's destination port 4970, for example) is part of a legitimate FTP session, it will drop the packet. Stateful firewalls solve this problem by maintaining a table of open connections and intelligently associating new connection requests with existing legitimate connections.
Credit to the inventor of the stateful firewall is usually given to Nir Zuk and his team at Check Point
in the mid-1990s.
Early attempts at producing firewalls operated at the Application Layer
, which is the very top of the seven-layer OSI model
. This method required exorbitant amounts of computing power and is rarely used in modern implementations.
The most CPU intensive checking is performed at the time of setup of the connection. All packets after that (for that session) are processed rapidly because it is simple and fast to determine whether it belongs to an existing, pre-screened session. Once the session has ended, its entry in the state-table is discarded.
The stateful firewall depends on the three-way handshake of the TCP protocol when the protocol being used is TCP; when the protocol is UDP, the stateful firewall does not depend on anything related to TCP.
When a client initiates a new connection, it sends a packet with the SYN bit set in the packet header
. All packets with the SYN bit set are considered by the firewall as NEW connections. If the service which the client has requested is available on the server, the service will reply to the SYN packet with a packet in which both the SYN and the ACK bit are set. The client will then respond with a packet in which only the ACK bit is set, and the connection will enter the ESTABLISHED state. Such a firewall will pass all outgoing packets through but will only allow incoming packets if they are part of an ESTABLISHED connection, ensuring that hacker
s cannot start unsolicited connections with the protected machine.
In order to prevent the state table from filling up, sessions will time out if no traffic has passed for a certain period.
These stale connections are removed from the state table. Many applications therefore send keepalive
messages periodically in order to stop a firewall from dropping the connection during periods of no user-activity, though some firewalls can be instructed to send these messages for applications.
Many stateful firewalls are able to track the state of flows in connectionless protocols. UDP hole punching
is the technique associated with UDP.
Such sessions usually get the ESTABLISHED state immediately after the first packet is seen by the firewall.
Sessions in connectionless protocols can only end by time-out.
By keeping track of the connection state, stateful firewalls provide added efficiency in terms of packet inspection.
This is because for existing connections the firewall need only check the state table, instead of checking the packet against the firewall's rule set, which can be extensive.
Also, the concept of deep packet inspection
is unrelated to stateful firewalls, because of its stateful feature, which checks incoming traffic against its state table first instead of jumping to the firewall's rule set. In this case if the state table is matched, then it doesn't need deep packet inspection.
Stateful packet inspection is typically achieved by using ASIC
-accelerated appliances that are specifically engineered to handle Application Layer
transactions.
-related network traffic, what is needed is a firewall that does application filtering, which can be regarded as an extension to stateful packet inspection. Stateful packet inspection can determine what type of protocol is being sent over each port, but application-level filters look at what a protocol is being used for. For example, an application-level filter might be able to tell the difference between HTTP traffic used to access a Web page and HTTP traffic used for file sharing, whereas a firewall that is only performing packet filtering would treat all HTTP traffic equally.
Application layer firewall
s differ from stateful packet-filtering and circuit-level gateways in several ways. Application-layer firewalls support multiple application proxies
on a single firewall. The proxies sit between the client and server, passing data between the two endpoints. Suspicious data is dropped and the client and server never communicate directly with each other. Because application-level proxies are application-aware, the proxies can more easily handle complex protocols like H.323
, which is used for videoconferencing and VoIP (Voice over IP). Application proxies can be transparent to the client and server, as no configuration is required on the client or the server; or can be non-transparent, letting the client and server address the proxy server directly. Transparency versus non-transparency is a matter of implementation and address hiding, rather than about security.
(Windows 7 and Windows Vista
) operating systems use TCP window scaling
for non-HTTP (web) connections. This behavior is incompatible with some firewalls that use SPI (Stateful Packet Inspection) as found in firewalls like the Check Point
NG R55, Cisco PIX
earlier than v6.3.1, NetApp Cache Appliances, SonicWall
, D-Link
DI-724U, Netgear
WGR614, and Linksys
WRT54GS.
Stateful firewalls also raise the possibility that individual hosts can be tricked into soliciting outside connections. This possibility can only be completely eliminated by auditing the host software. Some firewalls can be defeated in this way by simply viewing a web page (either with JavaScript enabled, or after clicking on a button).
Computing
Computing is usually defined as the activity of using and improving computer hardware and software. It is the computer-specific part of information technology...
, a stateful firewall (any firewall that performs stateful packet inspection (SPI) or stateful inspection) is a firewall that keeps track of the state of network connections (such as TCP
Transmission Control Protocol
The Transmission Control Protocol is one of the core protocols of the Internet Protocol Suite. TCP is one of the two original components of the suite, complementing the Internet Protocol , and therefore the entire suite is commonly referred to as TCP/IP...
streams, UDP
User Datagram Protocol
The User Datagram Protocol is one of the core members of the Internet Protocol Suite, the set of network protocols used for the Internet. With UDP, computer applications can send messages, in this case referred to as datagrams, to other hosts on an Internet Protocol network without requiring...
communication) traveling across it. The firewall is programmed to distinguish legitimate packets for different types of connections. Only packets matching a known active connection will be allowed by the firewall; others will be rejected.
History
Before the advent of stateful firewalls, a stateless firewall, a firewall that treats each network frame (or packet) in isolation, was normal. Such packet filters operate at the Network LayerNetwork Layer
The network layer is layer 3 of the seven-layer OSI model of computer networking.The network layer is responsible for packet forwarding including routing through intermediate routers, whereas the data link layer is responsible for media access control, flow control and error checking.The network...
(layer 3) and function more efficiently because they only look at the header
Header (information technology)
In information technology, header refers to supplemental data placed at the beginning of a block of data being stored or transmitted. In data transmission, the data following the header are sometimes called the payload or body....
part of a packet. A drawback of pure packet filters is that they are stateless; they have no memory of previous packets which makes them vulnerable to spoofing attack
Spoofing attack
In the context of network security, a spoofing attack is a situation in which one person or program successfully masquerades as another by falsifying data and thereby gaining an illegitimate advantage.- Spoofing and TCP/IP :...
s. Such a firewall has no way of knowing if any given packet is part of an existing connection, is trying to establish a new connection, or is just a rogue packet. Modern firewalls are connection-aware (or state-aware), offering network administrators finer-grained control of network traffic.......
The classic example of a network operation that may fail with a stateless firewall is the File Transfer Protocol
File Transfer Protocol
File Transfer Protocol is a standard network protocol used to transfer files from one host to another host over a TCP-based network, such as the Internet. FTP is built on a client-server architecture and utilizes separate control and data connections between the client and server...
(FTP). By design, such protocols need to be able to open connections to arbitrary high ports to function properly. Since a stateless firewall has no way of knowing that the packet destined to the protected network (to some host's destination port 4970, for example) is part of a legitimate FTP session, it will drop the packet. Stateful firewalls solve this problem by maintaining a table of open connections and intelligently associating new connection requests with existing legitimate connections.
Credit to the inventor of the stateful firewall is usually given to Nir Zuk and his team at Check Point
Check Point
Check Point Software Technologies Ltd. is a global provider of IT security solutions. Best known for its firewall and VPN products, Check Point first pioneered the industry with FireWall-1 and its patented stateful inspection technology...
in the mid-1990s.
Early attempts at producing firewalls operated at the Application Layer
Application layer
The Internet protocol suite and the Open Systems Interconnection model of computer networking each specify a group of protocols and methods identified by the name application layer....
, which is the very top of the seven-layer OSI model
OSI model
The Open Systems Interconnection model is a product of the Open Systems Interconnection effort at the International Organization for Standardization. It is a prescription of characterizing and standardizing the functions of a communications system in terms of abstraction layers. Similar...
. This method required exorbitant amounts of computing power and is rarely used in modern implementations.
Description
A stateful firewall is able to hold significant attributes of each connection in memory, from start to finish. These attributes, which are collectively known as the state of the connection, may include such details as the IP addresses and ports involved in the connection and the sequence numbers of the packets traversing the connection.The most CPU intensive checking is performed at the time of setup of the connection. All packets after that (for that session) are processed rapidly because it is simple and fast to determine whether it belongs to an existing, pre-screened session. Once the session has ended, its entry in the state-table is discarded.
The stateful firewall depends on the three-way handshake of the TCP protocol when the protocol being used is TCP; when the protocol is UDP, the stateful firewall does not depend on anything related to TCP.
When a client initiates a new connection, it sends a packet with the SYN bit set in the packet header
Header (information technology)
In information technology, header refers to supplemental data placed at the beginning of a block of data being stored or transmitted. In data transmission, the data following the header are sometimes called the payload or body....
. All packets with the SYN bit set are considered by the firewall as NEW connections. If the service which the client has requested is available on the server, the service will reply to the SYN packet with a packet in which both the SYN and the ACK bit are set. The client will then respond with a packet in which only the ACK bit is set, and the connection will enter the ESTABLISHED state. Such a firewall will pass all outgoing packets through but will only allow incoming packets if they are part of an ESTABLISHED connection, ensuring that hacker
Black hat
A black hat is the villain or bad guy, especially in a western movie in which such a character would stereotypically wear a black hat in contrast to the hero's white hat, especially in black and white movies....
s cannot start unsolicited connections with the protected machine.
In order to prevent the state table from filling up, sessions will time out if no traffic has passed for a certain period.
These stale connections are removed from the state table. Many applications therefore send keepalive
Keepalive
A keepalive is a message sent by one device to another to check that the link between the two is operating, or to prevent this link from being broken.-Description:...
messages periodically in order to stop a firewall from dropping the connection during periods of no user-activity, though some firewalls can be instructed to send these messages for applications.
Many stateful firewalls are able to track the state of flows in connectionless protocols. UDP hole punching
UDP hole punching
UDP hole punching is a commonly used technique employed in network address translator applications for maintaining User Datagram Protocol packet streams that traverse the NAT...
is the technique associated with UDP.
Such sessions usually get the ESTABLISHED state immediately after the first packet is seen by the firewall.
Sessions in connectionless protocols can only end by time-out.
By keeping track of the connection state, stateful firewalls provide added efficiency in terms of packet inspection.
This is because for existing connections the firewall need only check the state table, instead of checking the packet against the firewall's rule set, which can be extensive.
Also, the concept of deep packet inspection
Deep packet inspection
Deep Packet Inspection is a form of computer network packet filtering that examines the data part of a packet as it passes an inspection point, searching for protocol non-compliance, viruses, spam, intrusions or predefined criteria to decide if the packet can...
is unrelated to stateful firewalls, because of its stateful feature, which checks incoming traffic against its state table first instead of jumping to the firewall's rule set. In this case if the state table is matched, then it doesn't need deep packet inspection.
Stateful packet inspection is typically achieved by using ASIC
ASIC
ASIC may refer to:* Application-specific integrated circuit, an integrated circuit developed for a particular use, as opposed to a customised general-purpose device.* ASIC programming language, a dialect of BASIC...
-accelerated appliances that are specifically engineered to handle Application Layer
Application layer
The Internet protocol suite and the Open Systems Interconnection model of computer networking each specify a group of protocols and methods identified by the name application layer....
transactions.
Application-level filters
However, packet filtering alone is not regarded as providing enough protection. In order to effectively block peer-to-peerPeer-to-peer
Peer-to-peer computing or networking is a distributed application architecture that partitions tasks or workloads among peers. Peers are equally privileged, equipotent participants in the application...
-related network traffic, what is needed is a firewall that does application filtering, which can be regarded as an extension to stateful packet inspection. Stateful packet inspection can determine what type of protocol is being sent over each port, but application-level filters look at what a protocol is being used for. For example, an application-level filter might be able to tell the difference between HTTP traffic used to access a Web page and HTTP traffic used for file sharing, whereas a firewall that is only performing packet filtering would treat all HTTP traffic equally.
Application layer firewall
Application layer firewall
An application firewall is a form of firewall which controls input, output, and/or access from, to, or by an application or service. It operates by monitoring and potentially blocking the input, output, or system service calls which do not meet the configured policy of the firewall...
s differ from stateful packet-filtering and circuit-level gateways in several ways. Application-layer firewalls support multiple application proxies
Proxy server
In computer networks, a proxy server is a server that acts as an intermediary for requests from clients seeking resources from other servers. A client connects to the proxy server, requesting some service, such as a file, connection, web page, or other resource available from a different server...
on a single firewall. The proxies sit between the client and server, passing data between the two endpoints. Suspicious data is dropped and the client and server never communicate directly with each other. Because application-level proxies are application-aware, the proxies can more easily handle complex protocols like H.323
H.323
H.323 is a recommendation from the ITU Telecommunication Standardization Sector that defines the protocols to provide audio-visual communication sessions on any packet network...
, which is used for videoconferencing and VoIP (Voice over IP). Application proxies can be transparent to the client and server, as no configuration is required on the client or the server; or can be non-transparent, letting the client and server address the proxy server directly. Transparency versus non-transparency is a matter of implementation and address hiding, rather than about security.
Incompatibilities
The latest Linux (v 2.6.8 and on) and MicrosoftMicrosoft
Microsoft Corporation is an American public multinational corporation headquartered in Redmond, Washington, USA that develops, manufactures, licenses, and supports a wide range of products and services predominantly related to computing through its various product divisions...
(Windows 7 and Windows Vista
Windows Vista
Windows Vista is an operating system released in several variations developed by Microsoft for use on personal computers, including home and business desktops, laptops, tablet PCs, and media center PCs...
) operating systems use TCP window scaling
TCP window scale option
The TCP window scale option is an option to increase the TCP receive window size above its maximum value of 65,535 bytes.This TCP option, along with several others, is defined in IETF RFC 1323 which deals with Long-Fat Networks, or LFN....
for non-HTTP (web) connections. This behavior is incompatible with some firewalls that use SPI (Stateful Packet Inspection) as found in firewalls like the Check Point
Check Point
Check Point Software Technologies Ltd. is a global provider of IT security solutions. Best known for its firewall and VPN products, Check Point first pioneered the industry with FireWall-1 and its patented stateful inspection technology...
NG R55, Cisco PIX
Cisco PIX
Cisco PIX is a popular IP firewall and network address translation appliance. It was one of the first products in this market segment....
earlier than v6.3.1, NetApp Cache Appliances, SonicWall
SonicWALL
SonicWALL is a private company headquartered in San Jose, CA. It sells a range of internet appliances primarily directed at content control and network security. These include devices providing services for network firewalls, UTMs , VPNs , backup and recovery, and anti-spam for email...
, D-Link
D-Link
D-Link Corporation was founded in June 1986 in Taipei as Datex Systems Inc. It began as a network adapter vendor and has gone on to become a designer, developer, and manufacturer of networking solutions for both the consumer and business markets.In 2007, it was the leading networking company in...
DI-724U, Netgear
Netgear
Netgear is a U.S. manufacturer of computer networking equipment and other computer hardware....
WGR614, and Linksys
Linksys
Linksys by Cisco, commonly known as Linksys, is a brand of home and small office networking products now produced by Cisco Systems, though once a separate company founded in 1995 before being acquired by Cisco in 2003...
WRT54GS.
Vulnerabilities
There is a risk that vulnerabilities in individual protocol decoders could allow an attacker to gain control over the firewall. This concern highlights the need to keep firewall software updated.Stateful firewalls also raise the possibility that individual hosts can be tricked into soliciting outside connections. This possibility can only be completely eliminated by auditing the host software. Some firewalls can be defeated in this way by simply viewing a web page (either with JavaScript enabled, or after clicking on a button).
See also
- Check Point VPN-1
- Cisco ASACisco ASAIn computer networking, Cisco ASA 5500 Series Adaptive Security Appliances, or simply Cisco ASA 5500 Series, is Cisco's line of network security devices introduced in 2005, that succeeded three existing lines of popular Cisco products:...
- Computer securityComputer securityComputer security is a branch of computer technology known as information security as applied to computers and networks. The objective of computer security includes protection of information and property from theft, corruption, or natural disaster, while allowing the information and property to...
- CyberoamCyberoamCyberoam, a division of Elitecore Technologies, is a vendor of identity-based network security products including UTM security, logging and reporting and secure remote connectivity appliances and data loss prevention software...
- Endian FirewallEndian FirewallThe Endian Firewall is an open source GNU/Linux distribution that specializes on Routing/Firewalling and Unified Threat Management. It is being developed by the Italian Endian Srl and the community....
- FireWall-1FireWall-1VPN-1 is a firewall and VPN product developed by Check Point Software Technologies Ltd.VPN-1 is a stateful firewall which also filters traffic by inspecting the application layer. It was the first commercially available software firewall to use stateful inspection. Later , Check Point registered U.S...
- IPCopIPCopIPCop is a Linux distribution which aims to provide a simple-to-manage firewall appliance based on PC hardware. IPCop is a stateful firewall built on the Linux netfilter framework....
- IPFireIPFireIPFire is a free Linux distribution which acts as a router and firewall in the first instance. It can be maintained via a Web interface. The distribution furthermore offers selected server-daemons and can easily be expanded to a SOHO-server....
- IPFilterIPFilterIPFilter is an open source software package that provides firewall services and network address translation for many UNIX-like operating systems. The author and software maintainer is Darren Reed. IPFilter supports both IPv4 and IPv6 protocols, and is a stateful firewall.IPFilter is delivered...
- ipfirewallIpfirewallipfirewall or ipfw is a FreeBSD IP packet filter and traffic accounting facility. Its ruleset logic is similar to many other packet filters except IPFilter. ipfw is authored and maintained by FreeBSD volunteer staff members. Its syntax enables use of sophisticated filtering capabilities and thus...
- Kerio WinRoute FirewallKerio WinRoute FirewallKerio Control is a software gateway firewall developed by Kerio Technologies...
- Monowall
- Netfilter
- Network layer firewall
- PFPF (firewall)PF is a BSD licensed stateful packet filter, a central piece of software for firewalling. It is comparable to iptables, ipfw and ipfilter...
- pfSensePfSensepfSense is an open source firewall/router distribution based on FreeBSD. pfSense is meant to be installed on a personal computer and is noted for its reliability and offering features often only found in expensive commercial firewalls. It can be configured and upgraded through a web-based...
- VyattaVyattaVyatta manufactures an open source router/firewall/VPN product for Internet Protocol networks . A free download of Vyatta has been available since March 2006. The system is a specialized Debian-based Linux distribution with networking applications such as Quagga, OpenVPN, and many others...