Static Packet Filtering (stateless Firewall)
Static packet filtering is based on Layer 3 and Layer 4 of the OSI model. An example of a firewall technology that uses static packet filtering is a router with an ACL applied to one or more of its interfaces for the purpose of permitting or denying specific traffic. One of the challenges with static packet filtering is that the administrator must know exactly what traffic
needs to be allowed through the firewall, which can be tricky if you have many users that need to access many servers.
- Based on Simple sets of permit or deny entries
- Have minimal impact on network performance
- Are a minimal impact on network performance
- configurable on most routers
- Can perform many of the basic filtering needs without requiring the expense of a high-end firewall
- Susceptible to IP spoofing.
- Does not filter fragmented packets with the same accuracy as nonfragmented packets
- Extremely long ACLs are difficult to maintain
- Stateless: does not maintain a seession information for current flows of traffic going through the router.
- Some applications jump around and use many ports, some of which are dynamic.
Because packet filtering uses a simple rule set (a packet that comes in or out of an interface where there is an ACL applied for filtering), there is a check against the packet with the entries in the ACL from top to bottom. As soon as a match occurs, the ACL stops processing the rest of the list and implements the action against the packet, which is either a permit or deny. An extended ACL on a Cisco router can use many matching criteria against the Layer 3 and Layer 4 headers, including the following:
■ Source IP address
■ Destination IP address
■ Source port
■ Destination port
■ TCP synchronization information
Application Layer Gateway (Proxy Firewall)
Application layer firewalls, which are also sometimes called proxy firewalls or application gateways. Also can operate at Layer 3 and higher in the OSI reference model. Most of these proxy servers include specialized application software that takes requests from a client. This puts that client on hold for a moment, and then turns around and makes the requests as if it is its own request out to the final destination.
A proxy firewall acts as an intermediary between the original client and the server. No direct communication occurs between the client and the destination server. Because the application layer gateway can operate all the way up to Layer 7, it has the potential to be very granular
and analytical about every packet that the client and server exchange and can enforce rules based on anything the firewall sees.
- Very tight control is possible, due to analyzing the traffic all the way to the application layer.
- It is more difficult to implement an attack against an end device because of the proxy server standing between the attacker and potential victim.
- Can provide very detailed logging.
- May be implemented on common hardware.
- Processor intensive.
- Not all applications are supported.
- Special client software may be required.
- Memory and disk intensive at the proxy server. Single point of failure.
Stateful Packet Filtering
Stateful packet filtering is one of the most important firewall technologies in use today. It is called stateful because it remembers the state of sessions that are going through the firewall. Here is a great example. Suppose that you and I go to an amusement park, and halfway through the day we realize that we forgot something in the car. So, on our way out to retrieve the item, we wonder (at the gate) whether we have to pay to get back in.
The nice person at the gate explains that she will stamp our hand with a code so that when we return we can show the code and they will let us back in for free. Let’s say, for our example, that they also write our names on a list of people who were already on the inside. They were going outside to the parking lot with the intention of returning. When we want to come back inside, the people at the gate check the list and see that we have already been on the inside and that we left temporarily. So, they allow us back in.
More on Stateful
With a stateful packet-filtering device, for customers on the inside of the corporate network, as they are trying to reach resources on the outside public networks. Their packets go to the firewalls on the way out. The firewalls take a look at the source IP address, destination IP address, the ports in use. Also, looks at other layers for information and remember that information in what is known as a stateful database. It is called stateful because the firewall is remembering the state of the session (that it was on the way outside, including the ports and IP addresses involved).
By default, this same firewall does not allow any traffic from the outside and untrusted networks back into the private trusted inside network. The exception to this is for return traffic that exactly matches the expected return traffic based on the stateful database information on the firewall. In short, the reply traffic goes back to the users successfully, but attackers on
the outside trying to initiate sessions are denied by default.
- Can be used as primary means of defense by filtering unwanted or unexoected traffic.
- Router can be used as stateful firewalls.
- Dynamic in nature compared to static packet filtering.
- Provides a defense against spoofing and Denial-of-service DoS attacks.
- Might not be able to identify or prevent an application layer attack.
- Not all protocols contain controlled stat information , such as User Datagram Protocol (UDP) and Internet Control Message Protocol (ICMP).
- Some applications may dynamically open new ports from the server, which if a firewall is not analyzing specific applications or prepared for this server to open up a new port, it could cause a failure of that application for the end user. If a firewall also supports application layer inspection, it may be able to predict and allow this inbound connection.
- Stateful technology, by itself, does not support user authentication. This, however, does not prevent a firewall that implements stateful packet filtering from also implementing authentication as an additional feature.