Making Firewall Do the Work: Stateful Packet Inspection
By Curt Frierson, Gladiator Technology Services
Wednesday, 27 April 2005 11:16 EST
Wednesday, 27 April 2005 11:16 EST
For many overburdened system administrators tasked with the duty of securing their network, the extent of their knowledge of how a firewall works is that it “keeps the bad guys out.” IT examiners, however, are no longer satisfied with financial institutions simply having a firewall in place to reactively block potential attacks. Auditors now want to know what classification of firewall you have, and the characteristics of how it does its job.
As anyone who is trying to secure a network knows, a firewall is an absolute necessity. A well configured firewall is arguably the most important layer of defense from Internet attacks. But, how does your firewall defend your internal network from intrusions and how is one type of firewall different from another? There are several classifications of firewalls, each with their own unique attributes which help “keep the bad guys out.” To simplify this discussion, we will examine the two most common – packet filtering and stateful packet inspection.
Packet filtering firewalls are very fast, allowing for maximum efficiency of data throughput. This expediency is due to the fact that they only examine the headers of packets. A packet filtering firewall looks in the header for source and destination address, as well as source and destination port number. Rules can be created to allow or deny traffic based on combinations of these inputs.
To conceptualize packets, headers and IP addresses, think about the process of sending a letter. The actual letter contains the data that you want the recipient to receive. For the letter to get delivered to the intended recipient, you must include information on the envelope. This information includes the destination address and sending address. Once the letter is sealed and the information is included on the envelope, the letter is ready to be sent. In this example, the entire package, including letter and envelope, is the "packet." The header is the envelope, because it contains the information for delivering the packet to the intended recipient.
Port numbers are used to identify different types of traffic. Each common protocol has its own assigned port number. For example, when you receive an email (SMTP protocol), it travels over port 25. When you visit a website (HTTP protocol), the data travels over port 80. Using different port numbers for each protocol helps us filter out the traffic we do not want, while allowing communication for traffic we do want.
A packet filtering firewall’s use of port numbers to protect a network can be thought of like castle walls to protect a castle. The walls prevent intruders from entering the castle. Entryways, however, must exist for authorized people to enter the castle. These necessary gaps in the castle walls, unfortunately, provide an entry point for unauthorized invaders.
Another characteristic of packet filtering firewalls is that every packet is inspected independently. The firewall does not know whether a packet is part of a previously established connection or part of a new connection. Therefore, the firewall cannot determine whether responses from an established session are expected or appropriate. Packet filtering firewalls are no longer considered adequate protection from Internet threats due to the limited information they examine to make decisions.
Stateful packet inspection (SPI) firewalls, by contrast, examine not only the header information of packets, but they also allow you to set meaningful firewall policies based on who is initiating a connection and what the current status of the connection is. An SPI firewall maintains a "table" or "chart" of ongoing network activity, which also allows it to enforce a more intelligent and meaningful firewall security policy. It maintains data on who is surfing the Internet, who is emailing, tracks and stores all the information and establishes the parameters for Internet activity based upon the rules you have defined.
SPI firewalls examine the same source, destination address, and port number information as packet filtering firewalls. In addition, they also track established communication sessions over time. Only those incoming packets which would be considered a proper response to already established sessions are allowed to pass. Even ports that are allowed are kept closed until a valid communication session is requested. This method provides added protection for the internal network from a number of common attacks.
SPI firewalls leverage a broad range of information before allowing communication. This makes SPI firewalls sufficiently more secure than traditional packet filtering firewalls.
If you already have an SPI firewall, you have probably noticed many alerts displayed in the logs referring to attacks such as port scans, IP spoofing, and SynFlood. The SPI technology incorporated in your firewall is what allows these attacks to be detected and prevented. These attacks can bypass simple packet filtering firewalls without being detected. This could lead to attacker gaining access to sensitive customer information or wreaking havoc on your internal network.
So how do you know what type of firewall you have? Chances are that you already have a Stateful Packet Inspection firewall. SPI technology was created by CheckPoint in the late 1990s and is now a de facto standard. All popular Sonicwall, Cisco, Watchguard, and CheckPoint firewalls in recent years incorporate SPI technology.
It is important, however, that you verify what type of firewall you have through your firewall documentation. A search of your firewall vendor’s website should allow you to quickly determine the classification of your exact firewall model. And the next time you are asked by an IT examiner, “What type of firewall do you have?” you will be able to confidently answer the question.