- Packet filters
- Stateful Inspection
- Proxys
- Dynamic
- Kernel
There are several advantages to using a static IP filter. It has a combination of low overhead and high throughput. Stateless IP filters are very inexpensive, and many are free. They are included with router configuration software or are included with most Open Source operating systems. Being that a static IP filter does little more than simply route traffic, it is very good for traffic management.
On the other hand, there are quite a few disadvantages to using a static IP filter, especially with regard to security. Static IP filters allow direct connections from the external network to hosts on the internal network. Static filters can become cumbersome to maintain in complex environments. Static filters are vulnerable to IP spoofing attacks, unless they have been specifically configured to prevent this. All holes in the firewall are permanent; either a hole exists or it doesn't, there is no opening and closing connections based on outside criteria. And lastly, static IP filters offer no form of authentication.
As you can see, static packet filtering does not offer enough in the way of security to be the only gateway between an internal network and the Internet. Realizing the deficiencies of static filtering, developers had to come up with more dynamic or "intelligent" solutions. Enter stateful packet filtering.
The biggest difference between simple IP filtering and stateful IP filtering is that simple IP filters have no recollection of packets that have already passed through the filter. Every packet is handled on an individual basis. Previously forwarded packets belonging to a connection have no bearing on the filter's decision to forward or drop the packet.
There are actually two classes of stateful packet filtering. The first is based on a pure packet filtering environment. The second involves application proxies. A proxy acts as an intelligent intermediary between hosts on the internal network and hosts on the external network.
Application proxy servers (a.k.a application gateways), when properly configured, are probably the most intelligent firewall or gateway that you can have. Application proxies operate at the application layer of the OSI model. This allows proxies to make much more intelligent decisions about what traffic is allowed to pass.
The tradeoff, when compared to traditional packet filtering, is the overhead of running an application gateway. An application proxy makes two connections; one to the machine on the outside of the gateway and a seperate connection to the machine on the inside of the gateway. Additionally, the application gateway processes authentication on behalf of the machine on the internal network. Therefore, the demands on the machine are significantly higher than those associated with a typical firewall.
Another problem associated with application gateways is the cost. Most application gateway solutions involve the use of expensive, proprietary software and/or hardware. Many advanced stateful packet filters are Open Source. In fact, one of the most common uses for Linux is to build a low cost stateful packet filtering firewall. Being that packet filtering with Linux is handled at the kernel level, the overhead is very low. I have heard of early Pentium class machines with minimal memory being resurrected as 100Mbps routers.
There are even projects devoted to running such systems with no hard drives. The machine is booted from a floppy that contains the kernel and all of the configuration information. Once the machine is up and running, the floppy is removed. This can be a very secure, very low cost solution for many small offices and home offices. For more information on the Linux Router Project, check here.
On the other hand, a stateful packet filter is much less resource intensive than an application gateway, while not being completely unintelligent.
Stateful packet filtering does not necessarily address all of the problems with static filtering. Authentication may still not be addressed, however stateful packet filtering does add a new dimension of security to the otherwise inadequate security of static packet filtering.
No comments:
Post a Comment