SSi Service Strategies Inc.	Stateful Inspection

SSi

Stateful Inspection In A Firewall

Stateful Inspection is the Network Security Standard

Every operating system implementation has security leaks that are known to hackers worldwide. The majority of hackers' attacks that are intended to penetrate a firewall are launched against security leaks in the Operating System or TCP/IP layers, as shown below. SonicWALL Internet security appliances use stateful packet inspection to determine if a data packet is allowed through the firewall to the private LAN. Stateful Inspection, invented by Check Point Software Technologies, has emerged as the industry standard for network security solutions. With stateful inspection, packets are intercepted at the network layer for best performance (as in packet filters), but then data derived from all communication layers is accessed and analyzed for improved security (compared to layers 4–7 in application-layer gateways). Stateful Inspection then introduces a higher level of security by incorporating communication- and application-derived state and context information which is stored and updated dynamically. This provides cumulative data against which subsequent communication attempts can be evaluated. It also delivers the ability to create virtual session information for tracking connectionless protocols (e.g. RPC and UDP-based applications), something no other firewall technology can accomplish. Thanks to stateful packet inspection, no attack launched against these sensitive layers can penetrate the SonicWALL Firewall.

OSI
Layer Apple
Computer Banyan
Systems DEC
DECnet IBM
SNA Microsoft
Networking Novell
NetWare TCP/IP
Internet Xerox
XNS OSI
Protocols

Application
Layer 7 Application Programs and Protocols
for file transfer, electronic mail, etc.

Presentation
Layer 6 AppleTalk
Filing
Protocol
(AFP) Remote
Procedural
Calls
(Net RPC) Network
Management
Network
Application Transaction
Services
Presentation
Services Server
Message
Block
(SMB) NetWare
Core
Protocols
(NCP (Telnet, FTP,
SMTP, etc.) Control and
Process
Interaction ISO
8823

Session
Layer 5 AppleTalk
Session
Protocol
(ASP) Session Data
Flow
Control Network Basic
Input/Output
System
(NetBIOS) Network Basic
Input/Output
System
(NetBIOS) ISO
8327

Transport
Layer 4 AppleTalk
Transaction
Protocol
(ATP) VINES
InterProcess
Communications
(VIPC) End
Communications Transmission
Control Network
Basic Extended
User Interface
(NetBEUI) Sequenced
Packet
Exchange
(SPX) Transmission
Control Protocol (TCP),
Unacknowledged
Datagram Protocol (UDP) Sequenced
Packet
Protocol
(SPP) ISO
8073
TP0-4

Network
Layer 3 Datagram
Delivery
Protocol
(DDP) VINES
Internet
Protocol
(VIP) Routing Path
Control Internet
Packet
Exchange
(IPX) Internet
Protocol
(IP) Internet
Datagram
Protocol
(IDP) ISO
8473
(CLNP)

Data Link
Layer 2 Network Interface Cards: Ethernet, Token-Ring, ARCNET, StarLAN, LocalTalk, FDDI, ATM, etc.
NIC Drivers: Open Datalink Interface (ODI), Network Independent Interface Specification (NDIS)

Physical
Layer 1 Transmission Media:
Twisted Pair, Coax, Fiber Optic, Wireless Media, etc.

Stateful Packet Inspection In More Detail

The firewall comes with a default security policy which blocks all "inbound" connections (from the Internet to the LAN), and allows all "outbound" connections (from the LAN to the Internet). The desired effect is that LAN users can continue to access Internet resources, while hackers on the Internet cannot access the internal LAN resources. SonicWALL provides this protection in a network appliance. Since user-level applications such as FTP and the Web can create complex patterns of network traffic, it is necessary for the appliance to analyze groups of network connection "states". A central cache within the firewall appliance keeps track of the state information associated with all network connections. All traffic passing through the firewall is analyzed against the state of these connections in order to determine whether or not it will be allowed to pass through or rejected.

TCP Security

SonicWALL uses the state information embedded in TCP packets. The first packet of any new connection has its SYN flag set and its ACK flag cleared; we call these "initiation" packets. All packets which do not have this flag structure are called "subsequent" packets, since they represent data which occurs later in the TCP stream. If an initiation packet originates on the WAN, this means that someone is trying to make a connection from the Internet into the LAN. Except in a few special cases (see "Upper Layer Protocols" below), these packets are dropped and logged. If an initiation packet originates on the LAN, this means that someone is trying to make a connection from the LAN to the Internet. Assuming that this is an acceptable part of the security policy (as is the case with the default policy), the connection will be allowed through. A cache entry is added which includes connection information such as IP addresses, TCP ports, sequence numbers, etc. When any subsequent packet hits the box (from the Internet or from the LAN), its connection information is extracted and checked against the cache. A packet is only allowed to pass through if it corresponds to a valid connection (that is, if it is a response to a connection which originated on the LAN).

UDP/ICMP Security

UDP and ICMP do not themselves contain any connection information (such as sequence numbers). However, at the very minimum, they contain an IP address pair. UDP also contains port pairs, and ICMP has type and code information. All of these data can be analyzed in order to build "virtual connections" in the cache. For instance, a cache entry will be created by any UDP packet which originates on the LAN. Its IP address and port pairs will be stored. For a short period of time, UDP packets from the WAN which have matching IP and UDP information will be allowed back in through the firewall. An analogous situation exists for ICMP, except that SonicWALL is even more restrictive. Specifically, only outgoing echoes will allow incoming echo replies, outgoing address mask requests will allow incoming address mask replies, and outgoing timestamp requests will allow incoming timestamp replies. No other ICMP packets are allowed in through the firewall, simply because they are too dangerous and contain too little tracking information. For instance, ICMP redirect packets are never allowed in, since they could be used to reroute traffic through attacking machines.

Upper Layer Protocols

Some higher layer protocols (such as FTP and RealAudio) utilize multiple network connections simultaneously. In general terms, they usually have a "control connection" which is used for sending commands between endpoints, and then "data connections" which are used for transmitting bulk information. Consider the FTP protocol. A user on the LAN opens a control connection to a server on the Internet and requests a file. At this point, the remote server will open a data connection from the Internet. For FTP to work properly, this connection must be allowed to pass through even though a connection from the Internet would normally be rejected. In order to achieve this, SonicWALL inspects the application-level FTP data. Specifically, it searches for outgoing "PORT" commands, and when it sees these, it adds a cache entry for the anticipated data connection. This can be done safely, since the PORT command contains address and port information which can be used to uniquely identify the connection. Any protocol which operates in this way must be supported on a case-by-case basis.

To learn more about the SonicWALL firewall and its components and features, please visit our web site dedicated to SonicWALL by clicking on the button below.


	If you would like to request additional information on a subject or evaluate a product or service, please click on the appropriate button below.


	*Service Strategies Inc.* *2392 Mount Vernon Rd* *Dunwoody, GA 30338-3092* *678-441-0020 800-662-1615* *assist@ssimail.com*
	Copyright © 1998-2002 Service Strategies Inc. All rights reserved. Revised: November 20, 2003.