The purpose purpose of a firewall is to to ensure security in in communications between internal internal and external
networks. A firewall allows or disallows communication across the firewall in accordance with a predefined security policy. 2.
Firewall implementations: There are different different implementations of firewalls. Most notable among
these are: a.
A firewall firewall implemented implemented with the Packet Filters work at Network Network Layer of ISO/OSI stack.
A firewall implemented with the Application Layer Gateways work at the Application Application Layer Layer of
A Firewall implemented with stateful technology technology (like (like Checkpoint Firewall-1) works at all layers of
IS/OSI model. 3.
A firewall implemented with stateful inspection technology (FireWall-1 uses stateful inspection)
has several advantages over packet filter:
Communication Information Communication Derived State Application Derived State Information Manipulation
Application Layer Gateway Partial
4. The following information are used by Firewall-1 that uses stateful inspection technology: a.
Communication Communication information from different layers of TCP/IP stack
The state derived from previous communications
The state derived from other applications, for example, a previously authenticated authenticated user would be allowed to access through the firewall for authorized services only.
Stateful Packet Inspection Firewall:
These Firewalls are based on the Filtering of packets at network level – these Firewalls examine protocol packet header fields: Src IP Dst IP TCP/UDP Src ports & TCP/UDP Dst Ports. They’re Stateful because firewall can remember prior connection states and continuously keeps on updating the state of a connection in its Dynamic connection table.
Whenever a Firewall receives a SYN packet initiating a TCP connection, this SYN packet is reviewed against the Firewall Rulebase. If the packet matches a rule its allowed otherwise its denied. However, if the packet is accepted, the session is entered in the Firewalls’ Stateful connection table, which is located in Kernel Memory. Every packet that follows (that does not have a SYN) is then compared to the Stateful Inspection table. If the session is in the table t hen it means the packet is a part of an existing session and it is allowed through the firewall. If it does not matches an e xisting session in the table then it is dropped. This improves the performance as every packet is not compared with the rule base, just the packets which are SYN packets are compared with the Rulebase. All other packets are compared to the state table in Kernel memory (which happens Very fast)
Proxy Server Stateful Firewall:
These Firewalls filter services at the Application level. They will terminate the session at their interface and initiate a separate connection with the internal server, thus taking a little more time in establishing the session. They are by nature slow in processing as they are more application based.
Today, there very less difference between these two firewall technologies as more and more state packet inspection firewall vendors take on a Hybrid approach by combining both the concepts. The main engine of the Stateful firewall is implemented for maintain connection states and then the features such as Virus Scanning, URL filtering, Java/Activex filtering etc are superimposed over it to get the best of both worlds.