Intrusion Detection (Stateful Inspection)

A stateful inspection device operates in a manner similar to a packet-filtering firewall in that it also examines the source and destination addresses of every packet that passes its way. However, a packet filter is never aware of the context of any communication. Each packet that passes through it is treated on an individual basis. A firewall that employs stateful inspection techniques attempts to keep track of requests and responses to be sure they match.

This type of firewall maintains tables of information about current connections so that it can determine whether incoming packets are unsolicited or whether they are in response to a request that was made by a user on the internal network. Another name sometimes used for this type of firewall is dynamic packet filter.

When a connection terminates, the firewall removes the reference from its internal table so that an external source cannot use it to gain entry again.

Many proprietary stateful inspection firewall products are on the market today. Study the documentation of this type of product before you make a purchase so that you can fully understand how it operates.

Filtering Based on Applications

Filtering based on applications enables you to specify which programs are permitted to access the Internet, rather than specifying which TCP or UDP ports are permitted to access the Internet. This type of filtering is a form of stateful packet inspection (SPI) that is designed to make configuration relatively simple for the end user.

The updated version of Windows Firewall introduced in Windows XP Service Pack 2 as well as most third-party firewall programs use application filtering. Note that most firewalls, including Windows Firewall, can also perform port-based filtering when necessary.

Application-based firewalls enable the user to specify a list of applications (sometimes known as trusted applications) which can be used for network and Internet access. Applications not on the trusted list trigger a warning when an attempt is made to access them from the network or Internet (depending on the firewall's configuration).

Windows Firewall Versus Third-Party Firewall Programs

Although both the Windows XP Service Pack 2 Firewall (Windows Firewall) and third-party firewalls are application-based, there are significant differences in how they operate.

The Windows Firewall is enabled by default when Windows XP Service Pack 2 is installed. It is controlled through the Windows Firewall icon in Control Panel, or through the Advanced tab of the network connection properties sheet in Network Connections.

Windows Firewall includes a default list of programs it permits to accept incoming connections. You can add programs to the list or specify particular TCP or UDP ports as desired for programs in which application-based filtering does not work properly.

It is commonly believed that any application that is not on the list and attempts to listen for inbound traffic will trigger an alert dialog. This is not correct. Some programs include Windows Firewall API function calls which will automatically create exceptions to the firewall when the program is run, but the program will not be listed on the Exceptions list. However, when the Windows Firewall detects a connection by a program that does not use Windows Firewall APIs and has not been manually granted access, it displays an alert dialog asking you if you want to:

• Keep blocking Click this option to continue to block the program from Internet access and adds the program to the exceptions list in a Disabled state

• Unblock Click this option to permit the program to access the Internet and adds the program to the exceptions list in an Enabled state

• Ask me later Blocks program this time, but the next time the program runs, Windows Firewall will again ask whether to block or unblock the program

It's important to realize that Windows Firewall is designed to stop unauthorized programs from listening for incoming traffic. It does not block outgoing traffic. Consequently, Windows Firewall cannot stop worms, spyware, and Trojans that send data out to remote computers.

By contrast, many third-party firewalls are usually configured to block both inbound and outbound connections. Firewalls with inbound and outbound filtering usually display a dialog when a program attempts to make an outbound connection and asks the user if the program should be granted access (see Figure 45.1).

Outbound access can be granted on a one-time or continuous basis. If you select the option to permit access one time only, the firewall program will ask you for permission the next time the program attempts outbound access. Select an option such as "Remember this setting" (refer to Figure 45.1) to permit the program to have Internet access from now on.

Unauthorized inbound connections are usually blocked automatically. Depending upon the firewall program, an alert dialog might be displayed. You can configure the firewall to permit or continue to block inbound connections. The ability to monitor and block both inbound and outbound access is very useful at stopping Trojans, spyware, and other threats that connect to a remote server as part of their operation. This is one of the biggest advantages of third-party firewall programs over Windows Firewall.

Both Windows Firewall and third-party firewalls can be configured to permit different levels of access. For example, Windows Firewall's Change Scope option (located on the Edit tab) permits you to unblock a particular program for any computer (including Internet access), all computers on the current subnet, or a custom list of specified IP address ranges.