[Dr.WoW] [No.5] Stateful Inspection and Session Mechanism Highlighted

Latest reply: Mar 24, 2015 06:18:01 3367 1 0 1

As mentioned in section "Development of Firewalls", there is a firewall of third generation, that is, stateful inspection firewall. This type of firewall sets a milestone on the firewall history and its stateful inspection and session mechanism has been used as a basic function for firewalls to provide security defense. Now, Dr. WoW is introducing the stateful inspection and session mechanism.

1 Stateful Inspection

Let's start from the background of stateful inspection firewall. On a simple network setup shown in Figure 1-1, the PC and Web server are deployed in different networks and both directly connected to the firewall, which controls communication.

Figure 1-1 Network setup for PC-to-Web server access
[Dr.WoW] [No.5] Stateful Inspection and Session Mechanism-1270877-1

When the PC needs to access the Web server for Web pages, a rule numbered 1 listed in Table 1-1 has to be configured on the firewall, which allows the access packets to pass just as a security policy does. As this section focuses on the stateful inspection and session mechanism instead of a security policy, a rule is used for easy understanding. Security policies will be described in  "Security Policies."

Table 1-1 Rule 1 on the firewall

 No.  Source IP Address  Source Port  Destination IP Address  Destination Port  Action
 1  ANY  80  Permit



In this rule, ANY indicates that the source port can be any port, because it is the PC's OS that determines the source port when the PC accesses the Web server. For the Windows OS, the source port number can be any in the range of 1024 to 65535. This port number is uncertain and can be set to ANY.

When this rule applies, all the packets from the PC can pass the firewall and reach the Web server. When receiving the packets, the Web server replies with packets, which will reach the PC through the firewall as well. Before the stateful inspection firewall came up, a packet filtering firewall has to be deployed for this function, for which another rule numbered 2 has to be configured to allow the packets from the reverse direction to pass.

Table 1-2 Rule 2 on the firewall 

 No.  Source IP Address  Source Port  Destination IP Address  Destination Port  Action
 1  ANY   80  Permit
 2  80      Permit


In rule 2, the destination port can be any port, as the PC uses an uncertain source port to access the Web server. For the reply packets from the Web server to traverse the firewall and reach the PC, the destination port has to be any port in rule 2.

If the PC is running on a properly-protected network, this configuration may leave a serious security risk. As rule 2 opens all destination ports leading to the PC, an attacker with malicious attention may attack the PC under disguise of the Web server and attack packets will traverse the firewall straightway.

Then let's see how a stateful inspection firewall solves this issue. In the preceding network setup, rule 1 has to be applied on the firewall as well to allow the PC to access the Web server. When the access packets reach the firewall, the firewall allows them to pass and sets up a session for the access. This session will include information about the PC-sent packets, such as IP addresses and ports.

When receiving the reply packets from the Web server, the firewall compares the packet information with that included in the session. If the packet information matches and the reply packets agree with the HTTP protocol, the firewall takes the reply packets as the following reply packets associated with the PC-to-Web server access, and allows the packets to pass. Figure 1-2 shows the process.

For easy understanding, this section uses an example where the PC and Web server are directly connected to a firewall. In a practical setup, if the PC and Web server are deployed in different networks and directly connected to the firewall, routes have to be configured on the firewall so that the PC and Web server are mutually reachable. In other words, a route to the PC has to be found on the firewall even when the reply packets match the session. Only in this way can the reply packets reach the PC as expected.

Figure 1-2 Packet exchange through the stateful detection firewall
[Dr.WoW] [No.5] Stateful Inspection and Session Mechanism-1270877-2


If an attacker with malicious intentions requests the PC for access while under disguise of the Web server, the firewall takes the request packets not as the following reply packets associated with the PC-to-Web server session, and then denies them. This design prevents security risks associated with open ports while enabling the PC to access the Web server.

To sum up, before the stateful inspection firewall came up, a packet filtering firewall permits or denies packets based on static rules as it takes packets as stateless isolated ones, while ignoring their associations. Then the packet filtering firewall has to configure a rule for packets in each direction, which means low efficiency and high security risks.

The stateful inspection firewall fixes this defect of a packet filtering firewall. The stateful inspection firewall uses an inspection mechanism based on connection status and takes all the packets exchanged over the same connection between communication peers as a complete date flow. For this firewall, the packets in a data flow are associated, not isolated. A session is established for the first packet and the following packets will be directly forwarded without any by-rule inspection, given that they match the session. This design improves the efficiency in forwarding packets.

2 Session

Then let's see "session". On a firewall, a session refers to a connection established between communication peers. A collection of sessions form a session table. The following example is a standard session table entry.

http  VPN:public --> public>

The key fields in the session table entry are as follows:

  • http: application-layer protocol
  • source IP address
  • 2049: source port
  • destination IP address
  • 80: destination port

Then how to tell the source and destination? You need to find the "->" symbol in the entry. The field before the symbol is source-associated and that after the symbol is destination-associated.

The five fields (source address, source port, destination address, destination port, and protocol) are important information for a session, and they are called "5-tuple". The stateful inspection firewall takes the packets that have the same 5-tuple as a flow and uniquely identifies a connection by the 5-tuple.

How does the firewall generate a session table when dealing with some protocol packets that do not include port information? For example, the ICMP protocol packets do not include port information. Then the firewall uses the ID field in the packet header as the source port and 2048 as the destination port for the ICMP session. For other examples, the authentication header (AH) and encapsulating security payload (ESP) protocol packets, which are used in IPSec (to be depicted in later sections), do not include port information either. For these packets, the firewall takes the source and destination ports as 0 for the AH and ESP sessions.

3 Verification of Stateful Inspection

Talk is cheap. Then Dr. WoW uses an eNSP simulator to set up a simple network to verify stateful inspection of the firewall. The network uses the same topology as shown in Figure 1-1.

Enterprise network simulation platform (eNSP) is a graphic network device simulation platform provided by Huawei for free. It is capable of simulating network devices like enterprise routers, switches and firewalls, for the purposes of verifying functions and learning network technologies without having to use real devices. The eNSP can simulate the USG5500 firewall and supports the majority of its security functions. As mentioned in the following sections, the eNSP will be used for verification.

Only one rule (listed in Table 1-1) is configured on the firewall to allow the PC-to-Web server packets to pass. When the HttpClient is run on the PC to access the Web server, the access is successful. On the firewall, when using the display firewall session table command to check the session table information, then you can find a session.

[FW] display firewall session table

Current Total Sessions : 1 

  http  VPN:public --> public>

The preceding information shows that the stateful inspection mechanism is functioning. Specifically, when receiving the reply packets from the Web server, the firewall takes them as session-matched and allows them to pass, even if a rule is absent for allowing the packets to pass in the reverse direction.

Hopefully, Dr. WoW's introduction helps you understand the stateful inspection and session mechanism and Dr. WoW suggests that you also practice using the eNSP.




To view the list of all Dr. WoW technical posts, click here.

  • x
  • convention:

Created Mar 24, 2015 06:18:01 Helpful(0) Helpful(0)

Thank you.
  • x
  • convention:


You need to log in to reply to the post Login | Register

Notice Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."
If the attachment button is not available, update the Adobe Flash Player to the latest version!
Login and enjoy all the member benefits

Login and enjoy all the member benefits