We've all had the joy of calling up tech support to get information that the
vendor of a troublesome program forgot to include in the help file. If you
happen to be the firewall administrator for your organization, then you might
have this problem more often than most. If you can fight back the tears of
frustration, such calls are often good for a laugh.
A buddy of mine,
Jerry, shared with me such an experience he had last week. Jerry was trying to
configure his firewall to work with a well-known computer-to-PSTN gateway
application, and he needed to know the protocol details used by the application.
The help desk told him "you need to open ports 123, 456, 789, 321, 654, 987"
(I've changed the port number to protect the guilty). My buddy said, "What are
you talking about? I'm configuring a firewall, not a packet filtering router".
The tech support guy was apparently offended and told my buddy that "these *are*
the ports you open on the firewall". Jerry told the tech support guy he was FOS
and that the call needed to be passed upwards. They hung up on each other.
The company called Jerry back. This time the company's "firewall guru"
called and said the problem was with my friend's firewall. He is using ISA
Server 2000 and the "firewall guru" told him that "ISA Server 2000 is not a
stateful firewall and therefore our software won't work with it". Unfortunately,
my buddy didn't really understand what stateful meant, so he accepted this trash
talk from this clueless "expert".
After Jerry told me about what
happened, I realized the term "state" is bandied about like some sort of
political fact. Everyone uses the word, but no one seems to know what they're
talking about (or they're all talking about different things). If some company's
"firewall guru" called you can said that your firewall won't work because it's
not a "stateful firewall", would you just lay down and accept it? Or would you
pin the guy to the mat and make him prove to you that he's a moron?
What is State?
What is state and how does a firewall
determine the state of a communication between a source and destination host?
State can be loosely defined as the "condition or status of a connection between
two communicating hosts". States might be defined as beginning, middle, and end,
or beginning and end, or sent and received, or none of the above (as seen with
"stateless" protocols). The first rule about communication states is that they
vary with the protocols used.
Regardless of the protocol and how it
manages its state of communication, a firewall needs to keep track of the
communication status between a source and destination host. This information is
stored in what is called a "state table". Various types of information is stored
in a state table and the information varies with the protocol used by the
communicating hosts. Examples of information kept in a state table include:
* Source and destination IP address * Source and destination port
* Protocol, flags, sequence and acknowledge numbers * ICMP Code and Type
numbers * Secondary connection information communicated in application layer
headers * Application layer specific command sequences (GET, PUT, OPTIONS,
etc.)
For example, one of the main jobs a firewall performs is to block
all unsolicited inbound connections while allowing responses from servers that
internal network clients have made outbound connections to. The firewall can
block the unsolicited inbound connections while allowing the servers to respond
by keeping track of the outbound connections in its state table.
For
example, when the internal network client makes an outbound connection, the
firewall might enter the source and destination IP address and port number in
the state table (it might also enter flag, sequence number, and ack number
information too). When the firewall receives the server's response, it checks
the state table to see if anyone made an outbound request to that server. If so,
and if the flags, sequence, and acknowledge numbers are appropriate (for TCP
communications), then the firewall passes the response to the internal network
client that made the outbound request.
Transmission Control
Protocol (TCP) States
A firewall assesses connection state
differently depending on which protocol it's managing or tracking. The
Transmission Control Protocol (TCP) is a connection-oriented, session-based
protocol that is truly stateful. TCP has true start and finish states, as well
as a number of intermediate states. A firewall can draw a fine bead on the
status of a TCP connection because of the granularity of state information
provided by TCP.
In fact, RFC 793 provides for 11 TCP states which can
be loosely...
You must be logged in to view this entire article. Click Here to Finish Reading this Article
FREE subscription to Network World.
Your complimentary subscription will include 50 weekly issues jam packed with news analysis, expert industry opinion and management/career advice, all of which is packaged with your business needs in mind. We want to help you connect the technology dots and help you advance your company's business goals.
Email this Article
Print this Article
