the inside network toward the Internet.
Application Layer Gateway
An ALG is a firewall
device that examines packets at the application layer of the
Open Systems Interconnection (OSI) reference model. Figure
shows an ALG that acts as an intermediary between the users and
the protected system. Users gain access to the network by going
through a process that establishes sessions, performs user
authentication, and enforces authorized policy. These problems
are associated with ALGs: - ALGs must evaluate a lot of
information in many packets and therefore can slow down network
performance.
- ALGs are typically designed to filter a
single application. Adding new services requires running
multiple ALG programs on one machine or even setting up new ALG
hosts.
- ALGs create a single point of failure in the
network. If the ALG is compromised, the entire network becomes
compromised.
ALG Firewall Device
ALG
services run at the application level of the network protocol
stack for each different type of service (for example FTP or
HTTP). Figure shows the protocol stack that the data flow
traverses through an ALG. An ALG controls how internal users
access the outside world and how Internet users access the
internal network. In some cases, the proxy blocks all
connections that come from the outside and only allows internal
users to access the Internet. The only packets that the ALG
allows back through the proxy are packets that return responses
to requests from inside the firewall. In other cases, both
inbound and outbound traffic are allowed under strictly
controlled conditions. The ALG controls such connectivity by
working as a filtering agent for internal or external users.
Stateful Packet Filtering
In the mid-1990s, packet
filters and proxy servers were the two technologies that
administrators used to build firewall systems. As the number of
applications that needed to pass through firewalls increased,
proxy server vendors could not keep up with the development of
new proxy servers. On the other hand, packet filtering also
could not support the dynamic nature of the many modern
applications. Therefore, a new technology was born. Figure
summarizes the features of a stateful packet filter. Unlike
static packet filtering, which examines a packet based on the
information in the packet header, stateful inspection tracks
each connection and verifies that the connections are valid. A
stateful firewall may examine not just the header information
but also the contents of the packet up through the application
layer in order to determine more about the packet than just
information about the packet source and destination. For
example, if the initial packet of a request arrives through the
inside interface, the stateful packet filter remembers certain
details of that request. This remembering is called “saving the
state.” Each time a TCP or UDP connection is established for
inbound or outbound connections, the state information is
logged in the stateful session table. When the outside system
responds to the initial request, the firewall compares the
received packets with the saved state to determine if the
packet should be allowed into the network. Stateful
firewalling, also known as stateful packet filtering, is an
application-aware method of packet filtering that works on the
connection level. A stateful packet filter is
application-aware, so the filter is able to recognize all
sessions of a dynamic application. In addition, a stateful
packet filter maintains a state table (or connection table),
where the filter keeps track of all the active sessions over
the firewall. Stateful packet filtering is effective for these
reasons: - This filtering works on packets and
connections.
- This filtering operates at a higher
performance level than packet filtering or using a proxy
server.
- This filtering records data for every
connection or connectionless transaction in a stateful session
flow table. This table serves as a reference point to determine
if packets belong to an existing connection or are from an
unauthorized source.
Content 6.1
Introducing the Cisco IOS Firewall 6.1.4
Stateful Firewall Operation The State Table
The
state table, or session table, is part of the internal data
structure of a stateful packet filter. The table tracks all the
sessions and inspects all the packets that pass over the
stateful packet filter firewall. The packets only pass if they
have the expected properties that the state table predicts. The
state table dynamically changes and adapts with the traffic
flow. If no state exists, a state is created and entered into
the state table if the traffic flow meets the rules allowed in
the firewall. Figure summarizes the features of a stateful
firewall. Figure provides an example of how the information is
logged in a stateful session flow table. Application
Awareness
Stateful packet filters are application-aware
through additional inspection of passing traffic. By inspecting
the session more closely, up to the application layer, a
stateful packet filter is able to associate any dynamic
channels of the application with the initial session of the
application. The concept of a session in the stateful packet
filter world is connected to the TCP and UDP notion of a
session. Some stateful packet filter implementations, however,
can keep the state of other protocols, such as the Internet
Control Message Protocol (ICMP) or generic routing
encapsulation (GRE). Note
Stateful packet filters do
not usually change packet headers or payloads in any way.
Packets are only compared against the state table and, if
permitted, are transmitted in their original form. A stateful
packet filter can optionally perform Network Address
Translation (NAT) or Port Address Translation (PAT). However,
address or port translation is distinct from the stateful
packet filtering process. Stateful Packet Filter Handling of
Different Protocols
Stateful firewalls provide
different filtering granularity for various protocols. Figure
describes how stateful firewalls handle different protocols.
Stateful Packet Filter Handling of TCP Sessions
When
a stateful packet filter permits a TCP session, the session
creates an entry in the state table. The stateful packet filter
checks every subsequent packet against the state table to
verify that each packet is the next expected packet in the
session. Stateful firewalls robustly filter TCP sessions. These
firewalls check the flow information of each packet (network
addresses and transport layer ports) to find a matching entry
in the state table and then verify that the TCP sequence and
acknowledgement numbers are within the expected range. There is
a window of allowed values to permit minor reordering of
packets, which is legal in IP networks. Stateful firewalls
usually process TCP flags (SYN and ACK) to ensure that a
session starts with a proper three-way handshake. The stateful
firewalls then remove the state table entry after the session
has closed with a connection close or with a forceful teardown
using the restore (RST) flag. Timeouts delete half-open,
half-closed, and idle TCP sessions. Stateful Packet Filter
Handling of UDP Connections
The UDP protocol does not
contain sufficient information in each packet to robustly
verify the integrity of the UDP flow or its opening or closing.
A stateful filter, when permitting a UDP application, creates a
state table entry when the first UDP packet is permitted. The
state table contains flow information (network addresses and
transport layer ports) and an idle timer. The stateful packet
filter permits all packets of the session if the packets match
the flow description, and the state table entry is deleted
when the idle timer expires. Stateful Packet Filter Handling
of Other IP Protocols
Stateful firewalls do not usually
track other protocols, such as GRE and IPsec, but handle
protocols in a stateless manner, similar to how a classic
packet filter handles these protocols. If stateful support is