Translate

Wednesday, 10 February 2016

Firewall Technology 3 (STATEFUL FILTERING)

Stateful Filtering is the Firewall technique used for tracking the return traffic of  host which is initiated from internal network.

  • Stateful Filtering allows return traffic by creating state table which maintains the data of traffic like Source and Destination IP Address, Port numbers, TCP Protocol.
  • Also this process does not require CPU utilization, although it consumes memory for building state table. Return Traffic which was initiated from internal network is allowed by default in Stateful Filtering through State Table entries.


STATEFUL FILTERING

A stateless firewall treats each network frame or packet individually. Such packet filter operate at the OSI Network Layer (layer 3) and function more efficiently because they only look at the header part of a packet.

Working of Stateful Firewall
A stateful firewall keeps track of the state of network connections (such as TCP streams or UDP communication) and is able to hold significant attributes of each connection in memory. These attributes are collectively known as the state of the connection, and may include such details as the IP addresses and ports involved in the connection and the sequence numbers of the packets traversing the connection. Stateful inspection monitors incoming and outgoing packets over time, as well as the state of the connection, and stores the data in dynamic state tables. 

The most CPU intensive checking is performed at the time of setup of the connection. Entries are created only for TCP connections or UDP streams that satisfy a defined security policy. After that, all packets (for that session) are processed rapidly because it is simple and fast to determine whether it belongs to an existing, pre-screened session. Packets associated with these sessions are permitted to pass through the firewall. Sessions that do not match any policy are denied, as packets that do not match an existing table entry.


In order to prevent the state table from filling up, sessions will time out if no traffic has passed for a certain period. These stale connections are removed from the state table. Many applications therefore send keepalive messages periodically in order to stop a firewall from dropping the connection during periods of no user-activity, though some firewalls can be instructed to send these messages for applications.


Stateful Firewall works on TCP connections with SYN, SYN-ACK and ACK packets. SYN is used to open the connections in Firewall. SYN-ACK will be the response given by the server for the service desired and ACK is the final acknowledgement or established connection. These TCP Connections are used for tracking the established Connections. Simultaneously, the firewall drops all packets which are not associated with an existing connection recorded in its state table, thereby dropping unknown traffic coming from unsolicited device

Working OF STATEFUL FILTERING


The example of a network operation that may fail with a stateless firewall is the File Transfer Protocol (FTP). By design, such protocols need to be able to open connections to arbitrary high ports to function properly. Since a stateless firewall has no way of knowing that the packet destined to the protected network (to some host's destination port 4970, for example) is part of a legitimate FTP session, it will drop the packet. Stateful firewalls with application inspection solve this problem by maintaining a table of open connections, inspecting the payload of some packets and intelligently associating new connection requests with existing legitimate connections.

No comments:

Post a Comment