Stateful packet inspection

Stateful packet inspection (SPF), or stateful inspection for short, enhances the packet filter approach by checking additional information about the connection state. In addition to the static table with the permitted ports and address ranges, this technology maintains a dynamic table containing information about the status of the individual connections. This dynamic table initially allows all vulnerable ports to be blocked; only when an approved connection (defined by source and destination address) requests it will a port be opened. The act of opening ports is always initiated from the protected network towards the unprotected network, i.e. generally speaking from the LAN to the WAN (Internet). Data packets that are not associated with a valid connection in the state table are automatically dropped.

Note: The rules used by stateful-inspection firewalls—unlike for conventional port-filter firewalls—are direction-dependent: A connection is always established from the source to the destination, unless there is an explicit entry for the return direction. Once a connection is established, the only the data packets that are transmitted are those that belong to this connection—in both directions, of course. This ensures that any unsolicited access attempts that are not from the local network are reliably blocked.

In addition, stateful inspection can see from the connection establishment whether additional channels are being negotiated for the data exchange. Protocols such as FTP (for data transfer), T.120, H.225 and H.245 for Netmeeting or IP telephony), PPTP (for VPN tunnels) or IRC (for chat) establishing a connection from the LAN to the Internet using a particular source port indicate whether they are negotiating additional ports with the remote site. Stateful inspection enters these additional ports into the connection list, of course restricting them to the corresponding source and destination addresses.

Let's take another look at the example of an FTP download. When starting the FTP session, the client establishes a connection from the source port '4321' to the destination port '21' at the server. Provided that the FTP protocol is allowed from local computers to the outside, stateful inspection permits this initial connection to be established. The firewall enters the source and destination addresses along with the corresponding ports into the dynamic table. At the same time, the stateful inspection can inspect the control information sent to port 21 of the server. These control signals show that the client is requesting a connection from the server port 20 to the client port 4322. The firewall enters these values into the dynamic table because the client is requesting the connection into the LAN. The server can then send the data to the client as desired.

Should another computer on the Internet attempt to send data from its port 20 to the protected client via the now open port 4322, the firewall will prevent this because the IP address of the attacker does not match with the one permitted for this connection.

Note: After a successful data transfer, the entries are automatically deleted from the dynamic table and the ports are closed again.

Moreover, a firewall with stateful inspection is usually able to re-assemble the data packets it receives, i.e. to buffer individual fragments and reassemble them into a complete packet. As a result, the firewall inspects not only the individual parts of fragmented packets, but also the complete IP packet itself.

This doorman is dong a much better job. A courier ordered by this company now has to call the doorman, tell them to expect a courier, what time he will be there, and what is written on the parcel delivery note. Only if this information agrees with the doorman’s instructions will the courier be allowed through. If the courier brings not just one parcel, but two, then only the one with the correct delivery note will be allowed to pass. Similarly, a second courier demanding to see the employee will be turned away at the door.