SIEMENS 5890 DSL Router
User’s Guide
Chapter 6 Security Setup
Stateful Firewall
SIEMENS
73
Stateful Firewall
A firewall is a program or hardware device that filters the information coming through the Internet connection
into your private network or computer system designed to prevent unauthorized access to or from a private
network. If an incoming packet of information is flagged by the filters, it is not allowed through. However, a
traditional stateless firewall has no way of matching incoming packets with an existing connection, so cannot
prevent some security problems.
A stateful firewall tracks significant attributes of each connection from start to finish (such as the IP address
and ports used for the connection, as well as the sequence number of the packets traversing the connection),
and matches any packets inspected to an existing or new connection. These attributes are known collectively
as the connection state. Only packets that match a known connection state are allowed by the stateful firewall;
all others are rejected. Therefore, a stateful firewall offers better control over network traffic.
Stateful firewall varies from the IP filtering firewall in that it gathers and maintains state information about each
session.
IP filtering firewall examines the packet’s header information and matches it against a set of defined rules. If it
finds a match, the corresponding action is performed. If not, the packet is accepted.
Stateful firewall intercepts outgoing packets and gathers information from them (for example IP address
information, port number) to create state information for that session. When an incoming packet is received,
the stateful firewall checks the packet against the state information it has maintained and accepts the packet if
the packet belongs to the session.
The router supports both the traditional IP filtering firewall and a stateful firewall. The IP filtering firewall built-
into the router, consists of a set of rules that are examined each time a packet is transmitted or received from
the public network. It examines the packet’s header information and matches it against a set of defined rules. If
it finds a match, the corresponding action is performed. If not, the packet is accepted.
The IP filtering firewall provides an adequate level of security, but is limited in that it does not look beyond the
packet’s header to collect more information, which could leave the firewall vulnerable to attacks. One example
of this vulnerability is in the case when the IP filtering firewall requires a range of port numbers to be opened to
allow some protocols to work. For example, the FTP protocol involves an exchange of port number information
between the client and server. In this case, the client sends the server the port number to use to connect to the
client. In order for such protocols to work with the IP filtering firewall, a range of ports would have to be opened
and exposed because the firewall is unaware of exactly which port number is being used. This type of static
protection leaves machines behind the firewall vulnerable.
The stateful firewall overcomes these limitations by maintaining state information about each session. The
stateful firewall gathers information about outgoing packets and stores state information for that session in a
state table. When an incoming packet is received, the stateful firewall checks the packet against the
maintained information and accepts the packet if the packet belongs to the session. Once the session ends, its
entry in the state-table is discarded. As an added security measure against port scanning, stateful inspection
firewalls close off ports until connection to the specific port is requested.
By default, the stateful firewall is disabled, and your system is vulnerable until this feature is enabled.
This section describes how to perform the following tasks.
Configure Stateful Firewall
Configure settings that control how the Stateful Firewall
performs.
Dropped Packets
View the most recent dropped packets.
Firewall Rules
Configure Stateful Firewall rules.