adam's notes

Stateful Packet Inspection Firewalls

Stateful packet inspection firewalls analyze packets down to the application layer rather than filtering packets only by header information, enabling the firewall to enforce tighter and more security.

  • aka stateful firewalls
  • circuit-level stateful inspection firewall maintains stateful information about the session established between two hosts
    • including malicious attempts to start a bogus session
  • can watch the traffic over a given connection
    • defined by:
      • the source and destination IP addresses
      • ports being used
      • and the already existing network traffic
  • can also function as packet filtering firewalls
  • operate at the transport layer (TCP/IP model)
    • determines the legitimacy of a requested TCP session by monitoring the 3-way handshake
  • operate at layer 5 (Session) of the OSI model
  • stateful inspection occurs at layer 4 and layer 7 of OSI model

How it Works

  • uses a state table to keep track of the connection state (the normal sequence of traffic)
    • allows traffic that is part of a new or already established connection only
    • state table stores session data
  • when a packet arrives, the firewall checks it to confirm whether it belongs to an existing connection
    • if it does not, it applies the ordinary packet filtering rules to determine whether to allow it
  • once the connection has been allowed,
    • the firewall allows traffic to pass unmonitored
      • to conserve processing effort
  • can help to prevent some intentionally disruptive attack traffic that doesn’t resemble a proper and expected connection
  • Can identify and track the traffic related to a user-initiated connection to a website

Types

Layer 4 Firewall

A layer 4 firewall is a stateful inspection firewall that can monitor TCP sessions and UDP traffic.

  • examines the TCP three-way handshake to distinguish new from established connections
  • legitimate TCP connection should follow a SYN > SYN/ACK > ACK sequence to establish a session
    • is tracked using sequence numbers
    • Deviations from this or sequence anomalies can be dropped
      • e.g., SYN without ACK
  • can be configured to respond to attacks by
    • blocking source IP addresses and throttling sessions
  • can track UDP traffic
    • is harder bc UDP is connectionless
  • can detect IP header and ICMP anomalies

Layer 7 Firewall

A layer 7 firewall is a stateful inspection firewall that can filter traffic based on specific application protocol headers and data, such as web or email data.

  • layer 7 is Application layer of OSI model
  • can inspect the headers and payload of application-layer packets
  • key feature is:
    • can verify the application protocol matches the port
      • because malware can try to send raw TCP data over port 80 just because port 80 is open
  • web application firewall could analyze the HTTP headers and the webpage formatting code present in HTTP packets to identify strings that match a pattern in its threat database
  • have many different names:
    • application layer gateway
    • stateful multilayer inspection
    • and deep packet inspection
  • Application-aware devices have to be configured with separate filters for each type of traffic
    • HTTP and HTTPS, SMTP/POP/IMAP, FTP, etc.
  • firewall that performs application layer filtering is likely implemented as a proxy

Deep packet inspection firewalls analyze the actual content of the traffic that flows through them.

  • packet filtering and stateful firewalls only look at the structure of the network traffic
  • deep packet inspection can reassemble the contents of the traffic to see what it will deliver to the application

Weakness

Raises privacy concerns since it can see all internet traffic content

Graph View

Backlinks