FirewallsTypes of FirewallsInspection MethodsStatic Packet InspectionStateful Packet InspectionNATApplication FirewallsFirewall ArchitectureConfiguring, Testing, and Maintenance

Figure 5-8: Stateful Inspection FirewallsState of Connection: Open or ClosedState: Order of packet within a dialogOften simply whether the packet is part of an open connection

Figure 5-8: Stateful Inspection FirewallsStateful Firewall OperationFor TCP, record two IP addresses and port numbers in state table as OK (open) (Figure 5-9)By default, permit connections from internal clients (on trusted network) to external servers (on untrusted network)This default behavior can be changed with an ACLAccept future packets between these hosts and ports with little or no inspection

Figure 5-9: Stateful Inspection Firewall Operation IInternalClient PC60.55.33.12 1.TCP SYN SegmentFrom: 60.55.33.12:62600To: 123.80.5.34:80 2.EstablishConnection 3.TCP SYN SegmentFrom: 60.55.33.12:62600To: 123.80.5.34:80Stateful FirewallTypeTCPInternalIP60.55.33.12InternalPort62600ExternalIP123.80.5.34ExternalPort80StatusOKConnection TableNote: OutgoingConnectionsAllowed ByDefault

Figure 5-9: Stateful Inspection Firewall Operation IInternalClient PC60.55.33.12 6.TCP SYN/ACK SegmentFrom: 123.80.5.34:80To: 60.55.33.12:62600 5.Check ConnectionOK 4.TCP SYN/ACK SegmentFrom: 123.80.5.34:80To: 60.55.33.12:62600Stateful FirewallTypeTCPInternalIP60.55.33.12InternalPort62600ExternalIP123.80.5.34ExternalPort80StatusOKConnection Table

Figure 5-8: Stateful Inspection FirewallsStateful Firewall OperationFor UDP, also record two IP addresses in port numbers in the state tableTypeTCPUDPInternalIP60.55.33.1260.55.33.12InternalPort6260063206ExternalIP123.80.5.341.8.33.4ExternalPort8069StatusOKOKConnection Table

Figure 5-8: Stateful Inspection FirewallsStatic Packet Filter Firewalls are StatelessFilter one packet at a time, in isolationIf a TCP SYN/ACK segment is sent, cannot tell if there was a previous SYN to open a connectionBut stateful firewalls can (Figure 5-10)

Figure 5-10: Stateful Firewall Operation IIInternalClient PC60.55.33.12StatefulFirewall 2.CheckConnection Table: No Connection Match: Drop 1.SpoofedTCP SYN/ACK SegmentFrom: 10.5.3.4.:80To: 60.55.33.12:64640TypeTCPUDPInternalIP60.55.33.1260.55.33.12InternalPort6260063206ExternalIP123.80.5.34222.8.33.4ExternalPort8069StatusOKOKConnection Table

Figure 5-8: Stateful Inspection FirewallsStatic Packet Filter Firewalls are StatelessFilter one packet at a time, in isolationCannot deal with port-switching applicationsBut stateful firewalls can (Figure 5-11)

Figure 5-11: Port-Switching Applications with Stateful FirewallsInternalClient PC60.55.33.12 1.TCP SYN SegmentFrom: 60.55.33.12:62600To: 123.80.5.34:21 2.To EstablishConnection 3.TCP SYN SegmentFrom: 60.55.33.12:62600To: 123.80.5.34:21Stateful FirewallTypeTCPInternalIP60.55.33.12InternalPort62600ExternalIP123.80.5.34ExternalPort21StatusOKState TableStep 2

Figure 5-11: Port-Switching Applications with Stateful FirewallsInternalClient PC60.55.33.12 6.TCP SYN/ACK SegmentFrom: 123.80.5.34:21To: 60.55.33.12:62600Use Ports 20and 55336 forData Transfers 5.To Allow,EstablishSecondConnection 4.TCP SYN/ACK SegmentFrom: 123.80.5.34:21To: 60.55.33.12:62600Use Ports 20and 55336 forData TransfersStateful FirewallTypeTCPTCPInternalIP60.55.33.1260.55.33.12InternalPort6260055336ExternalIP123.80.5.34123.80.5.34ExternalPort2120StatusOKOKState TableStep 2Step 5

Figure 5-8: Stateful Inspection FirewallsStateful Inspection Access Control Lists (ACLs)Primary allow or deny applicationsSimple because probing attacks that are not part of conversations do not need specific rules because they are dropped automaticallyIn integrated firewalls, ACL rules can specify that messages using a particular application protocol or server be authenticated or passed to an application firewall for inspection