Siemens 5890 manual Stateful Firewall, Firewall Rules

Stateful Firewall

A firewall is a program or hardware device that filters the information coming through the Internet connection into your private network or computer system designed to prevent unauthorized access to or from a private network. If an incoming packet of information is flagged by the filters, it is not allowed through. However, a traditional stateless firewall has no way of matching incoming packets with an existing connection, so cannot prevent some security problems.

A stateful firewall tracks significant attributes of each connection from start to finish (such as the IP address and ports used for the connection, as well as the sequence number of the packets traversing the connection), and matches any packets inspected to an existing or new connection. These attributes are known collectively as the connection state. Only packets that match a known connection state are allowed by the stateful firewall; all others are rejected. Therefore, a stateful firewall offers better control over network traffic.

Stateful firewall varies from the IP filtering firewall in that it gathers and maintains state information about each session.

IP filtering firewall examines the packet’s header information and matches it against a set of defined rules. If it finds a match, the corresponding action is performed. If not, the packet is accepted.

Stateful firewall intercepts outgoing packets and gathers information from them (for example IP address information, port number) to create state information for that session. When an incoming packet is received, the stateful firewall checks the packet against the state information it has maintained and accepts the packet if the packet belongs to the session.

The router supports both the traditional IP filtering firewall and a stateful firewall. The IP filtering firewall built- into the router, consists of a set of rules that are examined each time a packet is transmitted or received from the public network. It examines the packet’s header information and matches it against a set of defined rules. If it finds a match, the corresponding action is performed. If not, the packet is accepted.

The IP filtering firewall provides an adequate level of security, but is limited in that it does not look beyond the packet’s header to collect more information, which could leave the firewall vulnerable to attacks. One example of this vulnerability is in the case when the IP filtering firewall requires a range of port numbers to be opened to allow some protocols to work. For example, the FTP protocol involves an exchange of port number information between the client and server. In this case, the client sends the server the port number to use to connect to the client. In order for such protocols to work with the IP filtering firewall, a range of ports would have to be opened and exposed because the firewall is unaware of exactly which port number is being used. This type of static protection leaves machines behind the firewall vulnerable.

The stateful firewall overcomes these limitations by maintaining state information about each session. The stateful firewall gathers information about outgoing packets and stores state information for that session in a state table. When an incoming packet is received, the stateful firewall checks the packet against the maintained information and accepts the packet if the packet belongs to the session. Once the session ends, its entry in the state-table is discarded. As an added security measure against port scanning, stateful inspection firewalls close off ports until connection to the specific port is requested.

By default, the stateful firewall is disabled, and your system is vulnerable until this feature is enabled.

This section describes how to perform the following tasks.