1. Home
    2. /
  2. Manuals
    3. /
  3. ZoneAlarm
    4. /
  4. Z100G
    5. /
  5. 6
Page 26 / 428 Scroll up to view Page 21 - 25
Security Requirements
12
Check Point ZoneAlarm User Guide
Security Requirements
In order to make control decisions for new communication attempts, it is not sufficient for
the firewall to examine packets in isolation. Depending upon the communication attempt,
both the communication state (derived from past communications) and the application state
(derived from other applications) may be critical in the control decision. Thus, to ensure
the highest level of security, a firewall must be capable of accessing, analyzing, and
utilizing the following:
Communication information
- Information from all seven layers in the packet
Communication-derived state
- The state derived from previous communications.
For example, the outgoing PORT command of an FTP session could be saved so
that an incoming FTP data connection can be verified against it.
Application-derived state
- The state information derived from other applications.
For example, a previously authenticated user would be allowed access through
the firewall for authorized services only.
Information manipulation
- The ability to perform logical or arithmetic functions
on data in any part of the packet. For example, the ability to encrypt packets.
Old Firewall Technologies
Older firewall technologies, such as packet filtering and application-layer gateways, are
still in use in some environments. It is important to familiarize yourself with these
technologies, so as to better understand the benefits and advantages of the Check Point
Stateful Inspection firewall technology.
Packet Filters
Historically implemented on routers, packet filters filter user-defined content, such as IP
addresses. They examine a packet at the network or transport layer and are application-
independent, which allows them to deliver good performance and scalability.
Packet filters are the least secure type of firewall, as they are not application-aware,
meaning that they cannot understand the context of a given communication. This makes
them relatively easy targets for unauthorized entry to a network. A limitation of this type
of filtering is its inability to provide security for basic protocols.
Packet filters have the following advantages and disadvantages:
Page 27 / 428
Old Firewall Technologies
Chapter 2: The ZoneAlarm Firewall
13
Table 4: Packet Filter Advantages and Disadvantages
Advantages
Disadvantages
Application independence
Low security
High performance
No screening above the network layer
Scalability
Application-Layer Gateways
Application-layer gateways improve security by examining all application layers, bringing
context information into the decision-making process. However, the method they use to do
this disrupts the client/server model, reducing scalability. Ordinarily, a client sends
requests for information or action according to a specific protocol, and the server responds,
all in one connection. With application-layer gateways, each client/server communications
requires two connections: one from a client to a proxy, and one from a proxy to a server. In
addition, each proxy requires a different process (or daemon), making support for new
applications a problem.
Application-layer gateways have the following advantages and disadvantages:
Table 5:
Application-Layer Gateway Advantages and Disadvantages
Advantages
Disadvantages
Good security
Poor performance
Full application-layer awareness
Limited application support
Poor scalability (breaks the client/server model)
Page 28 / 428
Check Point Stateful Inspection Technology
14
Check Point ZoneAlarm User Guide
Check Point Stateful Inspection Technology
Invented by Check Point, Stateful Inspection is the industry standard for network security
solutions. A powerful inspection module examines every packet, ensuring that packets do
not enter a network unless they comply with the network's security policy.
Stateful Inspection technology implements all necessary firewall capabilities between the
data and network layers. Packets are intercepted at the network layer for best performance
(as in packet filters), but the data derived from layers 3-7 is accessed and analyzed for
improved security (compared to layers 4-7 in application-layer gateways). Stateful
Inspection incorporates communication and application-derived state and context
information, which is stored and updated dynamically. This provides cumulative data
against which subsequent communication attempts can be evaluated. Stateful Inspection
also delivers the ability to create virtual-session information for tracking connectionless
protocols, such as UDP-based and RPC applications.
ZoneAlarm routers use Stateful Inspection technology to analyze all packet
communication layers and extract the relevant communication and application state
information. The ZoneAlarm router is installed at the entry point to your network, and
serves as the gateway for the internal network computers. In this ideal location, the
inspection module can inspect all traffic before it reaches the network.
Packet State and Context Information
To track and act on both state and context information for an application is to treat that
traffic
statefully
. The following are examples of state and context-related information that a
firewall should track and analyze:
Packet-header information (source and destination address, protocol, source and
destination port, and packet length)
Connection state information (which ports are being opened for which
connection)
TCP and IP fragmentation data (including fragments and sequence numbers)
Packet reassembly, application type, and context verification (to verify that the
packet belongs to the communication session)
Packet arrival and departure interface on the firewall
Layer 2 information (such as VLAN ID and MAC address)
Page 29 / 428
Check Point Stateful Inspection Technology
Chapter 2: The ZoneAlarm Firewall
15
Date and time of packet arrival or departure
The ZoneAlarm firewall examines IP addresses, port numbers, and any other information
required. It understands the internal structures of the IP protocol family and applications,
and is able to extract data from a packet's application content and store it, to provide
context in cases where the application does not provide it. The ZoneAlarm firewall also
stores and updates the state and context information in dynamic tables, providing
cumulative data against which it inspects subsequent communications.
The Stateful Inspection Advantage - Passive FTP
Example
In order to discuss the strength of Stateful Inspection technology in comparison to the
other firewall technologies mentioned, we will examine the Passive FTP protocol and the
ways that firewalls handle Passive FTP traffic pass-through.
FTP connections are unique, since they are established using two sessions or channels: one
for command (AKA control) and one for data. The following table describes the steps of
establishing a Passive FTP connection, where:
C is the client port used in the command session,
D is the client port used in the data session, and
P is the server port used in the data session.
Table 6: Establishment of Passive FTP Connection
Step
Channel
Type
Description
Source
TCP
Source
Port
Destination
TCP
Destination
Port
1
CMD
Client initiates a
PASV command to
the FTP server on
port 21
FTP
client
C >
1023
FTP server
21
Page 30 / 428
Check Point Stateful Inspection Technology
16
Check Point ZoneAlarm User Guide
Step
Channel
Type
Description
Source
TCP
Source
Port
Destination
TCP
Destination
Port
2
CMD
Server responds
with data port
information P >
1023
FTP
server
21
FTP client
C
3
Data
Client initiates data
connection to
server on port P
FTP
client
D >
1023
FTP server
P
4
Data
Server
acknowledges
data connection
FTP
server
P
FTP client
D
The following diagram demonstrates the establishment of a Passive FTP connection
through a firewall protecting the FTP server.
From the FTP server's perspective, the following connections are established:
Command connection from the client on a port greater than 1023, to the server
on port 21
Data connection from the client on a port greater than 1023, to the server
on a
port greater than 1023
Figure 3: Establishment of Passive FTP Connection

Rate

3.5 / 5 based on 2 votes.

Popular ZoneAlarm Models

Famous Router IPs
Famous Router Companies
Bookmark Our Site

Press Ctrl + D to add this site to your favorites!

Share
Top