Page 163 - DCAP516_COMPUTER_SECURITY
P. 163

Unit 13: Firewalls




          Stateful Packet Inspection                                                            Notes

          Stateful packet inspection requires keeping track of the state of the communications channel
          between the endpoints in the communication. The firewall monitors the IP, TCP and UDP
          header information passing between client and server. By monitoring this information, the
          firewall knows who inside the protected zone is opening connections and whom outside the
          firewall they are communicating with. Thus, any unsolicited connection request from outside or
          any random packet sent from outside will be recognized as not being part of any permitted or
          ongoing communications.
          Stateful inspection firewalls can even permit return traffic from a server which is not explicitly
          permitted by the firewall’s ruleset. Because the client protected by the firewall initiated the
          connection, the firewall can permit the return response from the server, even if no rule exists to
          explicitly permit this. For example, smart stateful packet inspecting firewalls will know when a
          protected host is opening an FTP connection and will know to permit the returning connection
          for the data channel on a different TCP port.




              Task  Differentiate between packet filtering and packet inspecting firewalls.

          13.2.4 Proxy Firewall


          Proxy firewalls watch (primarily) the following fields:
          1.   Source Port Number
          2.   Destination Port Number
          Some proxy firewalls also perform Network Address Translation (NAT) in addition to Proxy
          Address Translation (PAT) provide protection by performing all outside connections on behalf
          of the host, literally translating internal TCP and UDP port addresses to outside port addresses.
          Many proxy firewalls are stateless, and are therefore more easily tricked into permitting
          connections they should not. Moreover, since the proxy firewall typically does not inspect the
          contents of the packet, it is not capable of supporting IPsec functions (VPN/tunnels and
          encryption).

          13.2.5 Network Address Translation (NAT)

          Firewalls have low security areas (the outside) and high security areas (the inside) attached to
          their network interfaces. Network Address Translation (NAT) is a protocol that firewalls use to
          translate publicly routable IP addresses on the ‘outside’ to private IP addresses which are not
          routable on the Internet on the inside. This makes it more difficult for attackers to connect to a
          host protected by the firewall. A firewall providing NAT will receive a request from a protected
          host, strip the non-routable private IP address from the IP datagram and replace that address
          with a public IP address that is routable on the Internet. Thus, external hosts cannot directly
          connect to protected hosts as the private IP addresses are blocked within the architecture of the
          Internet itself.

          NAT with Overload (Port Address Translation)

          When an outside IP address is used by multiple hosts on different virtual ports, the NAT process
          is often referred to as NAT with Overload. This allows multiple hosts to use one outside address
          and to share the virtual port numbers available to the firewall.




                                           LOVELY PROFESSIONAL UNIVERSITY                                   157
   158   159   160   161   162   163   164   165   166   167   168