Firewall
BAT54-Rail/F..
Release
7.54
06/08
8.2
What is a Firewall?
255
If we furthermore compare the Firewall with a porter, this door keeper only
checks, whether he knows or not the courier with the packet at the door. If
the courier is known and came ever into the building before, he has the per-
mission to go in without hindrance and without being checked also for all fol-
lowing orders up to the workplace of the addressee.
U Stateful Packet Inspection
Stateful Packet Inspection (SPI), or briefly Stateful Inspection, enhances the
packet filter approach by checking further connection state information. Be-
side the more static table with the permitted ports and address ranges, a dy-
namic table will be kept up in this variant, in which information about the
connection state of the individual connections is held. This dynamic table en-
ables to first block all endangered ports, and to selectively open only if re-
quired a port for a permitted connection (adjusted by source and destination
address). The opening of ports is always made from the protected network to
the unprotected one, that means mostly from LAN to WAN (Internet). Data
packets that do not belong to one of the tracked session of the connection
state table will be automatically discarded
Additionally, the Stateful Inspection is able to track from the connection set
up, whether additional channels are negotiated for data exchange or not.
Some protocols like e.g. FTP (for data transfer), T.120, H.225, H.245 and
H.323 (for netmeeting or IP telephony), PPTP (for VPN tunnels) or IRC (for
chatting) signalize when establishing the connection from the LAN to the In-
ternet by a particular used source port whether they are negotiating further
ports with the remote station. The Stateful Inspection dynamically adds also
these additional ports into the connection state list, of course limited to the
particular source and destination addresses only.
U Stateful Inspection: direction-dependent checking
The filter sets of a Stateful Inspection Firewall are - contrary to classical
port filter Firewalls - dependent on their direction. Connections can only be
established from source to their destination point. The other direction
would require an explicit filter entry as well. Once a connection has been
established, only the data packets belonging to this connection will be
transmitted - in both directions, of course. So you can block in a reliable
way all traffic not belonging to a known session, not coming from the local
network.
To Next Page
Loading...
Need help?
General
