3.3 Dynamic packet filtering or stateful inspection

3.3    Dynamic packet filtering or stateful inspection

There is an increasingly large number of application protocols that make use of multiple connections and/or dynamically assigned port numbers . This makes it difficult to specify and set up appropriate packet-filtering rules. For example, FTP uses two TCP connections to transfer a file (i.e., an FTP control connection and an FTP data connection). Imagine a situation in which an intranet client wishes to establish an outbound FTP session to a server located on the Internet. According to the FTP specification, the client would first establish an outbound TCP connection from a randomly chosen port X to the FTP control port (i.e., port 21) of the server. Among other things, this connection would be used by the client to inform the server on which port Y it is going to listen for the incoming FTP data connection (using the PORT command of the FTP protocol). The server, in turn , would establish an inbound TCP connection from its FTP data port (i.e., port 20) to port Y on the client side. A file requested by the client would then be transferred on this TCP connection. Now imagine what happens if Internet connectivity is mediated through a screening router and the corresponding packet-filtering rules are configured in a restrictive way (meaning that inbound TCP connections are not allowed). In this situation, the second TCP connection (i.e., the FTP data connection) would be denied and the corresponding file transfer would not be able to take place. The underlying problem is that, due to the stateless nature of (static) packet filtering, it is not possible to recognize that the second TCP connection (i.e., the FTP data connection) logically belongs to the first TCP connection (i.e., the FTP control connection), and that the two connections collectively represent an FTP session. Consequently, the screening router simply sees an Internet server trying to establish an inbound TCP connection from server port 20 to client port Y . According to its policy and configuration, it is very likely that the screening router refuses this TCP connection. In the case of FTP, the problem can easily be solved using passive mode FTP. ^[7] There are, however, other application protocols that are more complex and for which a simple solution does not exist.

Remember that packet filters are stateless, meaning that each IP packet is examined in isolation from what has happened in the past, forcing the packet filter to make a decision to permit or deny each packet based upon the packet-filtering rules. Contrary to that, the notion and technology of dynamic packet filtering or stateful inspection was created by the developers of the FireWall-1 at CheckPoint Software Technologies, Ltd. ^[8] In short, stateful inspection refers to a technology in which a packet filter maintains state information about past IP packets to make more intelligent decisions about the legitimity of present and future IP packets. For example, a dynamic packet filter compares the first packet in a connection to the packet-filtering rules, and if the packet is permitted, state information is added to an internal database. One might think of this state information as representing an internal virtual circuit in the stateful inspection device on top of the transport layer association. This information permits subsequent packets in that association to pass quickly through the stateful inspection device. If the rules for a specific type of service require examining application data, then part of each packet must still be examined. As an example, FireWall-1 can react to seeing an FTP PORT command by creating a dynamic rule permitting a connection back from the FTP server to that particular port number on the client s side.

Dynamic packet filtering or stateful inspection provides much better possibilities to define packet-filtering rules and to filter IP packets (as compared to static packet filtering). In many situations, it makes sense to use stateful inspection to improve the capabilities (and security) of packet-filtering devices.