Firewalls and Tunnels
5-4
Hewlett-Packard Company Virtual Private Networking Concepts Guide
Stateful
Stateful
Stateful
Stateful
All other firewall rules are stateful, which means that a
communication session is established between a device inside
the firewall (on the red network) and a device outside the
firewall (on the black network). In this way when a device on a
red (trusted) network (in the case of a one-way outbound link or
outbound proxy) makes a request to a device on a black
(untrusted) network that requires a response, the response is
allowed back into the network.
The VPN device is also configured to allow data packets from the
black (untrusted) network to establish a link with a specific IP
address inside the red (trusted) network. In this case, the VPN
device stores the IP address of the computer sending the data
packets from the black (untrusted) network, so if the link is
dropped and tries to reestablish, the VPN device remembers the
IP address of the computer that created the initial link. This type
of stateful connection is known as an inbound proxy or one-way
in firewall rule. The only difference between an inbound proxy
and a one-way in firewall rule is the point at which a data packet
is removed from encapsulation and the firewall rules are
applied.
The inbound data packets from the originating device look
directly for the IP address of the VPN device, not the real address
of the destination computer. When the data packet arrives at the
gateway, the gateway checks the validity of the packet,
maintains the state of the transmission, and the packets are
permitted or denied based on the stateful rules configured in the
VPN device. Only if the packet is permitted by the firewall rule is
it then routed to the destination computer according to the IP
addressing information it carries.