Security Requirements

12

Check Point ZoneAlarm User Guide

Security Requirements

In order to make control decisions for new communication attempts, it is not sufficient for

the firewall to examine packets in isolation. Depending upon the communication attempt,

both the communication state (derived from past communications) and the application state

(derived from other applications) may be critical in the control decision. Thus, to ensure

the highest level of security, a firewall must be capable of accessing, analyzing, and

utilizing the following:

•

Communication information

- Information from all seven layers in the packet

•

Communication-derived state

- The state derived from previous communications.

For example, the outgoing PORT command of an FTP session could be saved so

that an incoming FTP data connection can be verified against it.

•

Application-derived state

- The state information derived from other applications.

For example, a previously authenticated user would be allowed access through

the firewall for authorized services only.

•

Information manipulation

- The ability to perform logical or arithmetic functions

on data in any part of the packet. For example, the ability to encrypt packets.

Old Firewall Technologies

Older firewall technologies, such as packet filtering and application-layer gateways, are

still in use in some environments. It is important to familiarize yourself with these

technologies, so as to better understand the benefits and advantages of the Check Point

Stateful Inspection firewall technology.

Packet Filters

Historically implemented on routers, packet filters filter user-defined content, such as IP

addresses. They examine a packet at the network or transport layer and are application-

independent, which allows them to deliver good performance and scalability.

Packet filters are the least secure type of firewall, as they are not application-aware,

meaning that they cannot understand the context of a given communication. This makes

them relatively easy targets for unauthorized entry to a network. A limitation of this type

of filtering is its inability to provide security for basic protocols.

Packet filters have the following advantages and disadvantages:

Old Firewall Technologies

Chapter 2: The ZoneAlarm Firewall

13

Table 4: Packet Filter Advantages and Disadvantages

Advantages

Disadvantages

Application independence

Low security

High performance

No screening above the network layer

Scalability

Application-Layer Gateways

Application-layer gateways improve security by examining all application layers, bringing

context information into the decision-making process. However, the method they use to do

this disrupts the client/server model, reducing scalability. Ordinarily, a client sends

requests for information or action according to a specific protocol, and the server responds,

all in one connection. With application-layer gateways, each client/server communications

requires two connections: one from a client to a proxy, and one from a proxy to a server. In

addition, each proxy requires a different process (or daemon), making support for new

applications a problem.

Application-layer gateways have the following advantages and disadvantages:

Table 5:

Application-Layer Gateway Advantages and Disadvantages

Advantages

Disadvantages

Good security

Poor performance

Full application-layer awareness

Limited application support

Poor scalability (breaks the client/server model)

Check Point Stateful Inspection Technology

14

Check Point ZoneAlarm User Guide

Check Point Stateful Inspection Technology

Invented by Check Point, Stateful Inspection is the industry standard for network security

solutions. A powerful inspection module examines every packet, ensuring that packets do

not enter a network unless they comply with the network's security policy.

Stateful Inspection technology implements all necessary firewall capabilities between the

data and network layers. Packets are intercepted at the network layer for best performance

(as in packet filters), but the data derived from layers 3-7 is accessed and analyzed for

improved security (compared to layers 4-7 in application-layer gateways). Stateful

Inspection incorporates communication and application-derived state and context

information, which is stored and updated dynamically. This provides cumulative data

against which subsequent communication attempts can be evaluated. Stateful Inspection

also delivers the ability to create virtual-session information for tracking connectionless

protocols, such as UDP-based and RPC applications.

ZoneAlarm routers use Stateful Inspection technology to analyze all packet

communication layers and extract the relevant communication and application state

information. The ZoneAlarm router is installed at the entry point to your network, and

serves as the gateway for the internal network computers. In this ideal location, the

inspection module can inspect all traffic before it reaches the network.

Packet State and Context Information

To track and act on both state and context information for an application is to treat that

traffic

statefully

. The following are examples of state and context-related information that a

firewall should track and analyze:

•

Packet-header information (source and destination address, protocol, source and

destination port, and packet length)

•

Connection state information (which ports are being opened for which

connection)

•

TCP and IP fragmentation data (including fragments and sequence numbers)

•

Packet reassembly, application type, and context verification (to verify that the

packet belongs to the communication session)

•

Packet arrival and departure interface on the firewall

•

Layer 2 information (such as VLAN ID and MAC address)

Check Point Stateful Inspection Technology

Chapter 2: The ZoneAlarm Firewall

15

•

Date and time of packet arrival or departure

The ZoneAlarm firewall examines IP addresses, port numbers, and any other information

required. It understands the internal structures of the IP protocol family and applications,

and is able to extract data from a packet's application content and store it, to provide

context in cases where the application does not provide it. The ZoneAlarm firewall also

stores and updates the state and context information in dynamic tables, providing

cumulative data against which it inspects subsequent communications.

The Stateful Inspection Advantage - Passive FTP

Example

In order to discuss the strength of Stateful Inspection technology in comparison to the

other firewall technologies mentioned, we will examine the Passive FTP protocol and the

ways that firewalls handle Passive FTP traffic pass-through.

FTP connections are unique, since they are established using two sessions or channels: one

for command (AKA control) and one for data. The following table describes the steps of

establishing a Passive FTP connection, where:

•

C is the client port used in the command session,

•

D is the client port used in the data session, and

•

P is the server port used in the data session.

Table 6: Establishment of Passive FTP Connection

Step

Channel

Type

Description

Source

TCP

Source

Port

Destination

TCP

Destination

Port

1

CMD

Client initiates a

PASV command to

the FTP server on

port 21

FTP

client

C >

1023

FTP server

21

Check Point Stateful Inspection Technology

16

Check Point ZoneAlarm User Guide

Step

Channel

Type

Description

Source

TCP

Source

Port

Destination

TCP

Destination

Port

2

CMD

Server responds

with data port

information P >

1023

FTP

server

21

FTP client

C

3

Data

Client initiates data

connection to

server on port P

FTP

client

D >

1023

FTP server

P

4

Data

Server

acknowledges

data connection

FTP

server

P

FTP client

D

The following diagram demonstrates the establishment of a Passive FTP connection

through a firewall protecting the FTP server.

From the FTP server's perspective, the following connections are established:

•

Command connection from the client on a port greater than 1023, to the server

on port 21

•

Data connection from the client on a port greater than 1023, to the server

on a

port greater than 1023

Figure 3: Establishment of Passive FTP Connection