Skip to content

Page298

Stateful Firewalls

Stateful firewalls have a state table that allows the firewall to compare current packets to previous ones. Stateful firewalls are slower than packet filters, but are far more secure.

Computer 1 sends an ICMP Echo Request to bank.example.com in Fig. 8.6. The firewall is configured to allow ping to Internet sites, so the stateful firewall allows the traffic, and adds an entry to its state table.

FIG. 8.6 Stateful firewall design.

An Echo Reply is then received from bank.example.com to Computer 1 in Fig. 8.6. The firewall checks to see if it allows this traffic (it does), and then checks the state table for a matching echo request in the opposite direction. The firewall finds the matching entry, deletes it from the state table, and passes the traffic.

Then evil.example.com sends an unsolicited ICMP Echo Reply. The stateful firewall, shown in Fig. 8.6, sees no matching state table entry and denies the traffic.

Proxy Firewalls

Proxies are preventive devices, that can be, and historically have been considered a type of firewall. Proxies operate as intermediary servers that sit in-line between a client and the destination server. Both packet filter and stateful firewalls pass traffic through or deny it: they are another hop along the route. The TCP three-way handshake occurs from the client to the server, and is passed along by packet filter or stateful firewalls.

Proxies, however, actually terminate connections rather than merely inspecting them as they traverse the device. Fig. 8.7 shows the difference between TCP Web traffic from Computer 1 to bank.example.com passing via a stateful firewall and a proxy. The stateful firewall passes one TCP three-way handshake between Computer 1 and bank.example.com. A packet filter will do the same.

FIG. 8.7 Stateful inspection vs. proxy.

Various types of proxies, and proxy firewalls, have existed over the years. These have generally been categorized based on the depth of network traffic into which they have visibility. Circuit-level proxies, most commonly associated with SOCKS, operate at layer 5, the session layer, whereas application-level proxies operate at layer 7.

The proxy actually terminates the TCP connection from Computer 1, and initiates a TCP connection with bank.example.com. In this case, there are two handshakes: Computer 1 → Proxy, and Proxy → bank.example.com.

Like NAT, a proxy hides the origin of a connection. In the lower half of Fig. 8.7, the source IP address connecting to bank.example.com belongs to the firewall, not Computer 1.