Firewalls can react to new applications with stateful inspection, but dangers can still slip by.
In the treacherous waters of the Internet, sharklike cybercriminals prey on the unwary or unfortunate. If users must venture out into the waters, and if their companies must let the flood of e-commerce transactions rush in, those companies' salvation comes from piloting the firewall's ship of stateful inspection.
Firewalls are designed to pass or block traffic going to and from the Internet. But firewalls have several different methods of screening packets.
Packet filters, a static rule that specifies what the firewall should do with specific traffic, are the first line of defense. Static packet filters, which many routers also can handle, look at the source, destination, port and type of packet (TCP, UDP, or ICMP), and do a pass/no-pass action on the packet.
Static packet filtering is speedy, but it's an all-or-nothing approach. If ports must be left open, you're leaving yourself vulnerable to cybershark attack.
The second method is an application gateway, otherwise known as an application proxy. Here, the firewall acts as an intermediary by inspecting the complete packet heading to, and returning from, a specific application. The proxy checks that the payload of the packet is valid for the application and that the entire session makes sense.
Though application proxies are thorough and effective, they are necessarily far slower than packet filter- ing. Also, an application proxy must be written for each new application or rewritten for traffic changes in the apps.
The compromise method between the two is called dynamic packet filtering or stateful in spection, where the firewall checks both the packet's header and the context of the packet's use.
A classic example is transferring files using FTP. The firewall remembers the details of the incoming request to get a file from an FTP server. The firewall then tracks the back-channel request (the FTP Port command) by the server for transferring information back to the client. As long as the information agrees (same IP addresses, no changes in port numbers, and no non-FTP requests), the firewall allows the traffic. After the transfer is complete, the firewall closes the ports involved.
But since stateful inspection doesn't ex amine the entire packet, malformed packets could make it through the unwary inspection and trip up the servers behind the firewall. A packet's payload can contain information or commands that cause applications, like a Web server's CGI script, to gag. Although stateful inspection has reduced the need for application proxies, some multi media applications like Real Audio required firewall manufacturers to revise their stateful inspection engines.
For that reason, many high-end firewalls are hybrids, offering stateful inspection and application proxies. For large companies, e-commerce and hosting sites, that's the minimum needed. For most others, a firewall with stateful inspection will do. Just remember that stateful-inspection engines require their occasional updates and are just one piece of the entire security process. Otherwise you might apply another term to the site: shark bait.
