Stateful firewall

Under Stateful Packet Inspection ( SPI), German term " Condition-based packet inspection " refers to a dynamic packet filtering technique in which each packet is assigned a specific active session.

The data packets are analyzed and the link state is involved in the decision. In this technique, which is used in firewalls, the data packets (actually segments ) during the transfer to the transport layer ( fourth layer of the OSI model ) is analyzed and stored in the dynamic state tables. Based on the state of the data the compounds of the decisions for the routing of the data packets are taken. Data packets that can not be assigned to specific criteria or may belong to a DoS attack are discarded. Firewalls with SPI technology are therefore superior to the pure packet filtering firewalls in security-relevant applications.

The company Check Point Software Technologies Ltd.. takes claim for themselves, this technique invented and patented to have (U.S. Patent # 5,606,668 ).

Operation

Communicates a computer A with computer B via a simple packet filter (ie without Stateful Packet Inspection ), it must allow in its rules two connections:

  • Source A to destination B with HTTP service (for the request, such as " Send me website www.example.com " )
  • Source B to destination A service with HTTP ( for the response packets, in this example, the contents of www.example.com )

Thus the set of rules is more uncertain than necessary, since B may at any time send to A, even if A has even requested any website ( In Netfilter can be using the 'Sync - Flags' prevents B to A establishes a connection ).

In condition- based filtering ( ie with Stateful Packet Inspection ) is only one rule is required ( and the second is a general rule ( ESTABLISHED / RELATED ) allowed. ) So the rule set is much clearer:

  • Source A to destination B

The packet filter remembers when computer A communicates with Host B, and only allows answers from computer B to computer A. Computer B thus can not begin without a request from A.

The rules for response packets are generated dynamically and automatically deleted after receipt of the response or after a timeout.

Even more sophisticated systems additionally check whether a package is at any given time in the communication allowed at all (for example, send more packets, even though the other party has already completed the communication).

Stateful Inspection for UDP packets

At first glance, a Stateful Packet Inspection for UDP packets like a contradiction, since UDP works unlike TCP stateless. Most implementations (eg Linux Netfilter ) treat UDP still as stateful, in the sense that you send a request via UDP for a short time a dynamic firewall rule for the response packets is generated. In the example, DNS queries thus only response packets are permitted by the name servers that you have asked yourself.

Some programs - such as Skype - use this in a method referred to as hole punching, to build firewalls Point to Point connections. Both participants learn from the Skype server on which IP address and what port Skype works in the opposite side. Then they both send a UDP packet to the remote side. There, these packets are indeed discarded upon arrival because no input rule exists, but produce on the firewall of the late computer a rule that allowed from then ' answers '. Then both sides can communicate. With TCP this would not work because the firewall can detect due to genuine sequence numbers response packets.

Stateful Inspection for ICMP

Who wants to send ping requests, but does not want to respond to ping, first defined an outbound rule for ICMP, and then an inbound rule, which generally allows all incoming packets for which there is already incoming connections ( RELATED ). The answer is transmitted when the firewall detects an existing connection. Then he can ping itself, but does not allow incoming ping. This works, although ICMP is other than TCP is a connectionless protocol. Connectionless means that the individual packets are not related to each other.

Stateful Inspection in FTP

FTP is problematic. There are two ports, 'ftp ' and ' ftp-data ' (21 and 20), is used. 'ftp ' is used for the transmission of commands, while ftp-data is used for data transfer ( file contents or directory contents ). There are two different ways ( active mode and passive mode), the direction in which the data connection ( ftp-data ) is built. In the Linux kernel, there is a kernel module, which dominates the interaction between the two ports.

Timeout

Both TCP and UDP connections have at Stateful Packet Inspection always an allotted timeout. UDP because it is not visible when a connection has been completed; with TCP, because it can happen that connections are not properly removed. UDP -out is usually in the range 20-40 seconds, TCP 15-60 minutes.

If the timeout is not long enough and legitimate connections thereby terminated by the firewall, there are two possible solutions. An extension of the time-out helps, but it also increases the memory requirements of the system and reduces security. The preferred method should therefore be the use of keep- alive packets. This can be configured in many applications such as SSH clients or even the operating system.

Setting the TCP keep - alives on Linux for every 120 seconds:

Echo 120 > / proc/sys/net/ipv4/tcp_keepalive_time Implementations of stateful firewalls

  • Check Point Firewall-1 (Solaris, Windows, IPSO, RHEL, SPLAT )
  • Pf ( packet filter ) ( OpenBSD )
  • Ipfw (FreeBSD )
  • Iptables (Linux 2.4, )
Network packet Data segment Internet Control Message Protocol Secure Shell PF (firewall) Ipfirewall
746390
de