Stateful firewalls and packet filtering
In Internet security and access control, an internet firewall is used to control access between two partitions of a network. Informally, one side of the firewall is referred to as the inside, while the other side is referred to as the outside . Internet firewalls operate by inspecting and filtering packets that are transmitted across the firewall boundaries. With packet filtering, packets are typically TCP/IP datagrams.
Firewalls are configured with a firewall ruleset. This ruleset defines a set of 5-tuples that have sufficient information to identify a TCP connection. A 5-tuple consists of the following fields: IP source address, IP destination address, transport protocol (e.g., TCP or UDP), source port number, destination port number. Firewall rules can be set for individual network interfaces on a host. To be effective, firewalls should block—or filter, all traffic by default. Only packet traffic that is explicitly allowed to flow in the firewall ruleset should be permitted.
In addition to a ruleset, firewalls can be stateful. Stateful firewalls keep track of open connections and filter traffic using a dynamic state table and the firewall ruleset . Stateful firewalls accept traffic from the outside that matches an existing entry in the dynamic state table, and open new connections from the outside that are permitted based on the firewall ruleset. In this way, internal hosts are able to initiate connections to external hosts using an arbitrary source port number. On the other hand, external connection attempts that have not been initiated by internal hosts or that do not match an allowed rule in the firewall ruleset are filtered.
As an example of a stateful firewall, let us assume that the network manager in our—admittedly very simple, example network has configured the firewall to only allow outgoing connections to destination ports 80 (http) and 443 (https). Ports 80 and 443 are the standard ports used for web servers on the internet. Practically speaking, this firewall configuration is designed to allow inside clients located behind the firewall the ability to initiated a connection to external internet web servers, and in doing so browse the web. Figure 1 below shows the process of an inside client making a request to an outside web server, and receiving a reply.
First, in step 1, the client sends a request to the external web server. This web server is located at destination IP address 10.1.1.200 and destination port 80 (http). The client initiates this connection using source port 12345. Assume that the client operating system chose this source port out of a pool of free ports that it maintains. The connection is initiated using the TCP transport protocol. In step 2 the firewall inspects the firewall ruleset and finds a matching rule for the client request. The IPdst field for the matching rule allows outgoing connections to the CIDR address range 10.1.1.0/24, which covers the web server destination IP address. The srcPort field in the matching rule indicates a wildcard character, allowing any port on the client to make outgoing connections using that rule. In step 3 the firewall places the 5-tuple for the current connection in the dynamic state table. In step 4, the client request is passed through the firewall and allowed to be sent to the destination web server. In step 5 the web server responds to the client request. In step 6 the firewall receives the response from the web server. The firewall finds the active connection in the dynamic state table matching the web server response, and then in step 7 passes the response to the client.
In addition to configuring a firewall to control access in and out of a network, a manager of a network can also use tools to analyze the topology of his network. Port scanning is a technic used by both network security experts and by potential intruders to discover a network topology. Once a firewall is configured and operational on a network, port scanning can be performed to discover vulnerabilities that may be present.
Nmap is a port scanning software utility used to gather information about entire networks or individual hosts. It can be used to determine the hosts on a network, what services are being offered by these hosts, and what operating systems these hosts are running . Additionally, Nmap can be used to determine the type of packet filters and firewalls that are in use in a network.
Port scanning is used to classify the ports on a host into four categories: filtered, closed, open, unfiltered. A filtered port usually means that a firewall is blocking traffic. A closed port means an application is not listening on the given host port, but could at any time. An open port on a host is actively listening for connections. An unfiltered port is either an open or closed port, but it is not known which one.
The most popular type of port scan is the SYN scan . The SYN scan initiates a TCP connection with the target host but never completes the three-way handshake. Figure 2 below shows the process of the SYN scan.
In figure 2 the scanning host sends a SYN packet to the target host. After the target receives the SYN packet, it responds with a SYN+ACK packet to accept the connection. In this case, the scanned host port is marked as open. The scanner does not respond with an ACK to complete the three-way handshake. In figure 3 below, we see the case when a SYN scan discovers a host port is closed after receiving a RST packet in response.
If the target host does not respond to the SYN scan, then the scanned port is marked as filtered. A filtered port offers the least amount of information to an intruder.
Internet firewalls are used to enforce access control between networks. Firewalls use packet filters to either allow or reject packet flow based on rules in a firewall ruleset. Stateful firewalls use a dynamic state table to keep track of open connections. Incoming packets that do not match any entry in the dynamic state table and that do not match any rule in the firewall ruleset are rejected. Port scanning is a technic used by both network managers and intruders to discover a network topology.
 Douglas Comer, Internetworking with TCP/IP: Principles, protocols, and architectures, 6th ed. New Jersey, 2014, pp. 615-618.