Check Point Stateful Inspection Technology

Chapter 2: The ZoneAlarm Firewall

17

The fact that both of the channels are established by the client presents a challenge for the

firewall protecting the FTP server: while a firewall can easily be configured to identify

incoming command connections over the default port 21, it must also be able to handle

incoming data connections over a dynamic port that is negotiated randomly as part of the

FTP client-server communication. The following table examines how different firewall

technologies handle this challenge:

Table 7: Firewall Technologies and Passive FTP Connections

Firewall Technology

Action

Packet Filter

Packet filters can handle outbound FTP connections in either of the

following ways:

•

By leaving the entire upper range of ports (greater

than 1023) open. While this allows the file transfer

session to take place over the dynamically allocated port,

it also exposes the internal network.

•

By shutting down the entire upper range of ports.

While this secures the internal network, it also blocks

other services.

Thus packet filters' handling of Passive FTP comes at the expense

of either application support or security.

Application-Layer

Gateway (Proxy)

Application-layer gateways use an FTP proxy that acts as a go-

between for all client-server sessions.

This approach overcomes the limitations of packet filtering by

bringing application-layer awareness to the decision process;

however, it also takes a high toll on performance. In addition, each

service requires its own proxy (an FTP proxy for FTP sessions, an

HTTP proxy for HTTP session, and so on), and since the

application-layer gateway can only support a certain number of

proxies, its usefulness and scalability is limited. Finally, this

approach exposes the operating system to external threats.

Check Point Stateful Inspection Technology

18

Check Point ZoneAlarm User Guide

Firewall Technology

Action

Stateful Inspection

Firewall

A Stateful Inspection firewall examines the FTP application-layer

data in an FTP session. When the client initiates a command

session, the firewall extracts the port number from the request. The

firewall then records both the client and server's IP addresses and

port numbers in an FTP-data pending request list. When the client

later attempts to initiate a data connection, the firewall compares the

connection request's parameters (ports and IP addresses) to the

information in the FTP-data pending request list, to determine

whether the connection attempt is legitimate.

Since the FTP-data pending request list is dynamic, the firewall can

ensure that only the required FTP ports open. When the session is

closed, the firewall immediately closes the ports, guaranteeing the

FTP server's continued security.

What Other Stateful Inspection Firewalls Cannot Do

The level of security that a stateful firewall provides is determined by the richness of data

tracked, and how thoroughly the data is analyzed. Treating traffic statefully requires

application awareness. Firewalls without application awareness must open a range of ports

for certain applications, which leads to exploitable holes in the firewall and violates

security “best practices”.

TCP packet reassembly on all services and applications is a fundamental requirement for

any Stateful Inspection firewall. Without this capability, fragmented packets of legitimate

connections may be dropped, or those carrying network attacks may be allowed to enter a

network. The implications in either case are potentially severe. When a truly stateful

firewall receives fragmented packets, the packets are reassembled into their original form.

The entire stream of data is analyzed for conformity to protocol definition and for packet-

payload validity.

True Stateful Inspection means tracking the state and context of all communications. This

requires a detailed level of application awareness. The ZoneAlarm router provides true

Stateful Inspection.

Before You Install the ZoneAlarm Router

Chapter 3: Installing and Setting Up ZoneAlarm

19

Chapter 3

This chapter describes how to properly set up and install your ZoneAlarm router in your

networking environment.

This chapter includes the following topics:

Before You Install the ZoneAlarm Router

.................................................

19

Wall Mounting the ZoneAlarm Router

.......................................................

32

Securing the ZoneAlarm Router against Theft

...........................................

34

Router Installation

......................................................................................

36

Setting Up the ZoneAlarm Router

..............................................................

39

Before You Install the ZoneAlarm Router

Prior to connecting and setting up your ZoneAlarm router for operation, you must do the

following:

•

Check if TCP/IP Protocol is installed on your computer.

•

Check your computer’s TCP/IP settings to make sure it obtains its IP address

automatically.

Refer to the relevant section in this guide in accordance with the operating system that runs

on your computer. The sections below will guide you through the TCP/IP setup and

installation process.

Installing and Setting Up ZoneAlarm

Before You Install the ZoneAlarm Router

20

Check Point ZoneAlarm User Guide

Windows Vista

Checking the TCP/IP Installation

1.

Click

Start

>

Control Panel

.

The

Control Panel

window appears.

2.

Under

Network and Internet

, click

View network status and tasks

.

Before You Install the ZoneAlarm Router

Chapter 3: Installing and Setting Up ZoneAlarm

21

The

Network Sharing Center

screen appears.

3.

In the

Tasks

pane, click

Manage network connections

.