Page 385 - StudyBook.pdf
P. 385

Infrastructure Security: Devices and Media • Chapter 6  369

                 Stateful Inspection Firewalls

                 Stateful inspection is a compromise between these two existing technologies. It
                 overcomes the drawbacks of both simple packet filtering and application-layer gate-
                 ways, while enhancing the security provided by the firewall. Stateful inspection
                 technology supplies application-layer awareness without actually breaking the
                 client/server architecture by disassembling and rebuilding the packet.Additionally, it
                 is much faster than an application-layer gateway due to the way packets are han-
                 dled. It is also more secure than a packet-filtering firewall, due to application-layer
                 awareness and the introduction of application- and communication-derived state
                 awareness.
                    The primary feature of stateful inspection is the monitoring of application and
                 communication states.This means that the firewall is aware of specific application
                 communication requests and knows what should be expected out of any given
                 communication session.This information is stored in a dynamically updated state
                 table, and any communication not explicitly allowed by a rule in this table is
                 denied.This allows the firewall to dynamically conform to the needs of the applica-
                 tions and open or close ports as needed. Ports are closed when the requested trans-
                 actions are completed, which provides another layer of security.
                    A good example of how these different technologies work is the FTP process.
                 With FTP, the client has the option of requesting that the server open a back con-
                 nection.With a packet-filtering firewall, the only options are either leaving all ports
                 beyond port 1023 open thus allowing the back connection to be permitted, or
                 closing them, which makes the attempted communication fail.
                    With an application-layer gateway, this type of communication can easily be
                 permitted, but the performance of the entire session will be degraded due to the
                 additional sessions created by the application-layer gateway itself.With stateful
                 inspection, the firewall simply examines the packet where the back connection is
                 requested, then allows the back connection to go through the firewall when the
                 server requests it on the port previously specified by the requesting packet.When
                 the FTP session is terminated, the firewall closes off all ports that were used and
                 removes their entries from the state table. Figure 6.3 shows how this technology
                 works.












                                                                              www.syngress.com
   380   381   382   383   384   385   386   387   388   389   390