SPI router

In computing, a stateful firewall (any firewall that performs stateful packet inspection (SPI) or stateful inspection) is a firewall that keeps track of the state of network connections (such as TCP streams, UDP communication) travelling across it. The firewall is programmed to distinguish legitimate packets for different types of connections. Only packets matching a known connection state will be allowed by the firewall; others will be rejected.

Early attempts at producing firewalls operated at the application level of the seven-layer OSI model but this required too much CPU speed. Packet filters operate at the network layer (layer-3) and function more efficiently because they only look at the header part of a packet. However, pure packet filters have no concept of state as defined by computer science using the term finite state machine and are subject to spoofing attacks and other exploits.

History

Before the advent of stateful firewalls, a stateless firewall, a firewall that treats each network frame (or packet) in isolation, was normal. Such a firewall has no way of knowing if any given packet is part of an existing connection, is trying to establish a new connection, or is just a rogue packet. Modern firewalls are connection-aware (or state-aware), affording network administrators finer-grained control of network traffic.

The classic example is the File Transfer Protocol, because by design it opens new connections to random ports. FTP, among other protocols, needs to be able to open connections to arbitrary high ports to function properly. Since a firewall has no way of knowing that the packet destined to the protected network, to some host's port 4970, is part of a legitimate FTP session, it will drop the packet. Stateful firewalls solve this problem by maintaining a table of open connections and intelligently associating new connection requests with existing legitimate connections.

Description

A stateful firewall is able to hold in memory significant attributes of each connection, from start to finish. These attributes, which are collectively known as the state of the connection, may include such details as the IP addresses and ports involved in the connection and the sequence numbers of the packets traversing the connection. The most CPU intensive checking is performed at the time of setup of the connection. All packets after that (for that session) are processed rapidly because it is simple and fast to determine whether it belongs to an existing, pre-screened session. Once the session has ended, its entry in the state-table is discarded.

The stateful firewall depends on the famous three-way handshake of the TCP protocol. When a client initiates a new connection, it sends a packet with the SYN bit set in the packet header. All packets with the SYN bit set are considered by the firewall as NEW connections. If the service which the client has requested is available on the server, the service will reply to the SYN packet with a packet in which both the SYN and the ACK bit are set. The client will then respond with a packet in which only the ACK bit is set, and the connection will enter the ESTABLISHED state. Such a firewall will pass all outgoing packets through but will only allow incoming packets if they are part of an ESTABLISHED connection, ensuring that hackers cannot start unsolicited connections with the protected machine.

In order to prevent the state table from filling up, sessions will time out if no traffic has passed for a certain period. These stale connections are removed from the state table. Many applications therefore send keepalive messages periodically in order to stop a firewall from dropping the connection during periods of no user-activity, though some firewalls can be instructed to send these messages for applications. It is worth noting that the most common Denial of Service attack on the internet these days is the SYN flood, where a malicious user intentionally sends large amounts of SYN packets to the server in order to overflow its state table, thus blocking the server from accepting other connections.^{[citation needed]}

Many stateful firewalls are able to track the state of flows in connectionless protocols, like UDP. Such sessions usually get the ESTABLISHED state immediately after the first packet is seen by the firewall. Sessions in connectionless protocols can only end by time-out.

By keeping track of the connection state, stateful firewalls provide added efficiency in terms of packet inspection. This is because for existing connections the firewall need only check the state table, instead of checking the packet against the firewall's rule set, which can be extensive. There is also an additional cost when the firewall's rule set is updated, which should cause the state table to be flushed. Also, the concept of deep packet inspection is unrelated to stateful firewalls.^[clarify]

Application-level filters

Today, firewalls are again using application level filters called proxies — or application level proxies because machines with modern CPU speeds are capable of doing deep packet inspection in reasonable time. These proxies can read the data part of each packet in order to make more intelligent decisions about the connection. For example, IRC or peer to peer file sharing protocols sometimes try to "hide" on HTTP ports. Traditional stateful firewalls cannot detect this, while an application level firewall can detect and selectively block HTTP connections according to content.

Modern computers typically exchange data by breaking it up to network frames. These frames are called "packets" in TCP/IP, the most commonly used network protocol. Firewalls inspect each packet and decide whether it should be allowed to pass the firewall and continue travelling towards its destination, or be discarded. Common ways of filtering packets are according to the source/destination address or according to the source/destination port.

But in some cases this information is not enough. The administrator of the firewall might want to allow packets to pass the firewall according to the context of the connection, and not just the packet header characteristics. This deep packet inspection provides a much finer grained control.

Deep packet inspection costs more time to process, thus it is important to compensate for this by also providing stateful inspection. Note: The finer-grained security functionality provided by application-level filters can be defeated by users who encrypt packet contents (e.g. by tunneling via SSL).

Squid is an example of a caching proxy. Its main purpose is to locally store copies of web pages that are popular and therefore save bandwidth. It can also act as security proxy as it provides access control list for authentication, url and content filtering etc.

Pitfalls

Microsoft's latest operating system, Vista, uses TCP window scaling for non-http (web) connections. So do Linux kernels from versions 2.6.8 on. This behavior is incompatible with some firewalls that use SPI (Stateful Packet Inspection) as found in routers like the Checkpoint NG R55, Cisco PIX and IOS, NetApp Cache Appliances, SonicWall, D-Link DI-724U, Netgear WGR614, and Linksys WRT54GS. ^[1] This may be related to previous failures to work properly. Pre-released (beta) versions of Vista allegedly had more problems, including failed http (web) connections through SPI firewalls.^[2]

See also

• Network layer firewall
• Stateless firewall
• Proxy server
• Cisco PIX
• FireWall-1
• Netfilter
• Iptables
• Kerio WinRoute Firewall
• CHX-I

Notes

Donate to Wikimedia