|
Stateful Firewall Als IT-Security Begriff ist eine Stateful Firewall (eine Firewall die zustandsabhängig Pakete überprüft oder einer zustandsabhängigen Überprüfung vornimmt) eine Firewall, die auf den Status der Netzwerkverbindungen, (beispielsweise TCP Verbindungen) die sie passieren Acht gibt. Die Firewall ist programmiert, um legitimierte Pakete von verschiedenen Verbindungstypen zu unterscheiden. Nur Pakete die zu einer bekannten Verbindungsart passen, werden von der Firewall erlaubt, andere werden abgewiesen.
Frühe Versuche, eine Firewall herzustellen, die auf der Applikationsebene, der siebenten Schicht des OSI Modells arbeiten, haben zu viel CPU Geschwindigkeit benötigt. Paket Filter hingegen arbeiten auf der Netzwerk Schicht (Layer 3) und funktionieren effizienter, weil sie nur auf den Header Teil des Paketes sehen. Trotzdem haben reine Paket Filter keine Kenntnis über den aktuellen Verbindungs-Status der durch die Computer Wissenschaft als Maschinen Endzustand (finite state machine) definiert ist und sind daher Angriffsziel von Spoofing Attacken und anderen Sicherheitslücken. Wie es funkioniert A stateful firewall is able to hold in memory significant attributes of each connection, from start to finish. These attributes, which are collectively known as the state of the connection, may include such details as the IP addresses and ports involved in the connection and the sequence numbers of the packets traversing the connection. The most CPU intensive checking is performed at the time of setup of the connection. All packets after that (for that session) are processed rapidly because it is simple and fast to determine whether it belongs to an existing, pre-screened session. Once the session has ended, its entry in the state-table is discarded. The stateful firewall depends on the famous three-way handshake of the TCP protocol. When a client initiates a new connection, it sends a packet with the SYN bit set in the packet header. All packets with the SYN bit set are considered by the firewall as NEW connections. If the service which the client has requested is available on the server, the service will reply to the SYN packet with a packet in which both the SYN and the ACK bit are set. The client will then respond with a packet in which only the ACK bit is set, and the connection will enter the ESTABLISHED state. Such a firewall will pass all outgoing packets through but will only allow incoming packets if they are part of an ESTABLISHED connection, ensuring that hackers cannot start unsolicited connections with the protected machine. In order to prevent the state table from filling up, sessions will time out if no traffic has passed for a certain period. These stale connections are removed from the state table. Many applications therefore send keepalive messages periodically in order to stop a firewall from dropping the connection during periods of no user-activity, though some firewalls can be instructed to send these messages for applications. It is worth noting that the most common Denial of Service attack on the internet these days is the SYN flood, where a malicious user intentionally sends large amounts of SYN packets to the server in order to overflow its state table, thus blocking the server from accepting other connections. Many stateful firewalls are able to track the state of connections in connectionless protocols, like UDP. Such connections usually enter the ESTABLISHED state immediately after the first packet is seen by the firewall. Sessions in connectionless protocols can only end by time-out. By keeping track of the connection state stateful firewalls provide added efficiency in terms of packet inspection. This is because for existing connections the firewall need only check the state table, instead of checking the packet against the firewall's rule set, which can be extensive. There is also an additional cost when the firewall's rule set is updated, which should cause the state table to be flushed. Also, the concept of deep packet inspection is unrelated to stateful firewalls.
|
