Firewalls provide protection against unwanted traffic from outside and inside your network. Three approaches taken by firewall vendors to provide this protection are static packet filtering, stateful packet inspection, and deep packet inspection. Firewalls are categorized based on their ability to perform one or more of these functions.
Static packet filtering
A device that provides static packet filtering services is considered a first generation firewall. Figure 2 provides an example of how this process works.
In Panel A, a remote workstation is attempting to access Port 25 on the Web server, IP address 22.214.171.124. Port 25 is the default port for SMTP, a messaging protocol. The external firewall is configured to allow traffic for the Web server only if it is destined for Port 80. Port 80 is the default Web services port. When the workstation's packet reaches the firewall, the destination address and port are checked and compared to the list of allowed address/port combinations. Since it doesn't match, the packet is dropped (discarded); no communication takes place.
Panel B depicts a successful packet transmission. Unlike the packet in Panel A, the destination address and port match an address/port pair allowed to pass. The firewall sends the packet on to the network segment on which the Web server is located.
As with stateful packet filtering and deep packet inspection, this process can be placed either at the perimeter of your network or at the entry point to a network segment containing sensitive data.
Stateful packet inspection (dynamic packet filtering)
Stateful packet inspection firewalls work in much the same way as static packet inspection devices. The primary difference lies in the stateful inspection device's ability to determine whether packets are parts of established sessions between devices on either side of the firewall.
A stateful firewall device builds a state table to track each session initiated by a system on the internal network. Any traffic attempting to pass through the firewall into the protected network or segment is checked to see if it's associated with a session in the state table. If it isn't, the packet isn't allowed to pass. Another feature is the ability of a stateful firewall to dynamically open and close ports as they're needed by authorized sessions. Let's look at Figure 3 as we step through an example of how dynamic packet filtering works.
Two devices on the internal network have initiated sessions with devices on the Internet. These sessions are listed in the state table. 126.96.36.199 is connected to a SMTP service and 188.8.131.52 is connected to a Web server. This is a scaled down version of a state table, but it's enough to represent stateful operation.
A device on the Internet attempts to send a packet to 184.108.40.206 with the intent of connecting to Microsoft SQL Server Port 1434. Although an address/port rule may not exist to block this packet, the fact that no system on the internal network is engaged in a Port 1434 session with an external device is enough to cause the firewall to drop the packet.
Deep packet inspection
Firewalls capable of deep packet inspection are the most sophisticated of the three types represented in this article. They are actually a combination of intrusion detection/prevention and stateful packet inspection services. A deep packet inspection firewall looks at the payload or data section of a packet. It makes decisions about whether to pass the packet based on the contents of a state table or the contents of the payload.
The payload contents are inspected through signature matching, protocol anomaly checking, or with the use of heuristics. Signature matching is the process of comparing known malware or other attack patterns to the data contained in the payload. If there is a match, the packet is dropped. Anomaly checking is the process of comparing the packet format to what is expected based on the packet type and the protocol specified in the packet header. Heuristic algorithms are another way of determining if a payload contains unwanted data. But instead of trying to make a perfect match to a known attack signature, heuristic algorithms make an "educated guess" about the probability of the presence of hostile code.
Finally, behavior watching algorithms, concerned with the behavior of communication traffic rather than payload signatures, can also be employed by deep inspection firewalls. For example, they watch for PING sweeps, repeated attempts to connect to a port on the internal network, and other unusual network behavior to determine if an attack is underway.
Regardless of the approach your firewall may use, when a possible attack is identified, the device can notify appropriate personnel, block the suspect traffic, or simply log the event. The choice as to how to handle an event is made by you or a member of your staff.
Go to Part 1...
See the rest of the series...