Stateful Packet Inspection is a dynamic packet filtering technique in which each data packet is assigned to a specific active session. The data packets are analyzed and the connection status is included in the decision. In this technique, which is used in firewalls, the data packets are analyzed during transmission on the switching layer (3rd layer of the OSI model) and stored in dynamic state tables. Based on the state of the data connections, the decisions for the forwarding of the data packets are made. Data packets that cannot be assigned to specific criteria or that may belong to a DoS attack are discarded. Firewalls with SPI technology are therefore superior to pure packet filtering firewalls in security-relevant applications. Check Point Software Technologies Ltd. claims to have invented this technology in 1993.
How it Works
Credit: geeksforgeeks.org
If a computer A communicates with a computer B via a simple packet filter (i.e. without stateful packet inspection), the latter must allow two connections in its set of rules:
---
- Source A to destination B with HTTP service (for the request, e.g. “Send me website www.example.com”)
- Source B to Destination A with HTTP service (for the response packets, in this example the content of www.example.com)
As a result, the set of rules is less secure than actually necessary, since B is allowed to send to A at any time, even if A has not requested a website (with Netfilter you can use the ‘sync flag’ to prevent B from establishing a connection to A).
With stateful filtering (i.e. with stateful packet inspection), only one rule is required (or the second is allowed by a general rule (ESTABLISHED/RELATED)). This makes the rule set much clearer:
- Source A by Objective B
The packet filter remembers when computer A communicates with computer B, and only then allows responses from computer B to computer A. As a result, computer B cannot start without requesting A.
The rules for response packets are dynamically generated and automatically deleted after the response arrives or after a timeout.
Even more advanced systems also check whether a packet is allowed at all at a certain point in the communication (for example, sending more packets even though the other party has already completed the communication).
Stateful inspection of UDP packets
At first glance, stateful packet inspection looks like a contradiction in terms of UDP packets, since UDP is stateless, unlike TCP. Most implementations (e.g., Linux Netfilter) still treat UDP as stateful, in the sense that when a request is sent via UDP, a dynamic firewall rule is created for the response packets for a short period of time. In the DNS queries example, this only allows response packets from the name servers that you have asked yourself.
Some programs, such as Skype, use this in a process known as hole punching to establish point-to-point connections through firewalls. Both participants learn from the Skype server on which IP address and which port Skype is working for the other party. Then both send a UDP packet to the other side. There, these packets are discarded when they arrive because there is no input rule, but they create a rule on the firewall of the outgoing computer that allows ‘replies’ from then on. After that, both sides can communicate with each other. This wouldn’t work (trivially) with TCP, because the firewall can detect real response packets based on sequence numbers.
Stateful Inspection at ICMP
If you want to ping requests but don’t want to respond to pinging, first define an outbound rule for ICMP, and then an inbound rule that generally allows all incoming packets for which there are already outgoing connections (RELATED). The response is allowed through when the firewall detects an existing connection. Then it can ping itself, but it doesn’t allow incoming ping. This works even though ICMP is a connectionless protocol, unlike TCP. Connectionless means that the individual packets are unrelated to each other.
Stateful inspection at FTP
FTP is problematic. Two ports, ‘ftp’ and ‘ftp-data’ (21 and 20), are used. ‘ftp’ is used for transmitting commands, while ftp-data is used for data transfer (file contents or directory contents). There are two different ways (active mode and passive mode) in which direction the data connection (ftp-data) is established. In the Linux kernel there is a kernel module that handles the interaction of both ports.
Timeout
Both TCP and UDP connections always have an assigned timeout in Stateful Packet Inspection. In the case of UDP, because it is not possible to tell when a connection has been terminated; with TCP, because it can happen that connections are not degraded properly. The UDP timeout is typically in the range of 20-40 seconds, while TCP is 15-60 minutes.
If the timeout is not long enough and the firewall terminates legitimate connections, there are two possible solutions. While extending the timeout helps, it also increases the system’s memory footprint and reduces security. The preferred method should therefore be the use of keep-alive packages. These can be configured in some applications such as SSH clients or in the operating system.
Tagged With attackzzm