In order to identify the type (stateful or stateless of our network\'s Firewall,

Question

In order to identify the type (stateful or stateless of our network's Firewall, we performed the following experiment From an external host, we sent 7 to our Firewall, as in below figure. Some packets have been blocked by the Firewall. By analyzing the accepted and denied packets, identify the type of your Firewall. Explain your answer.

Firewall Packet #1 Packet #2 Packet #3 Packet #4 . Packet #6 Packet #7 Packet #5 Packet #1: (ICMP, Type-8, Code :0) Packet #2 : (UDP. S-Port-2000, D-Port-2 1 ) Packet #3 (TCP. S-Port-2000, D-Port-21. SYN-1, ACK:0) Packet #4 : (TCP·S-Port-2001. D-Port-21, SYN=0, ACK= 1) Packet #5 : (TCP·S-Port-2 1 . D-Port-2000, SYN= 1, ACK: 1) Packet #6 (TCP, s-Port-2000, D-Port-21, SYN:0, ACK=1) Packet #7 (TCP, Spot-2002. D-Port-23, SYN-1. ACK20)

Explanation / Answer

Here, the stateful filtering of firewall has taken place. This policy addresses the security issues in basic filtering by stateless filtering, which allows bi-directional protocols like TCP and UDP to initialize the session and an attacker can spoof the IP address and the port number of these services and can initiate D-DoS attack.

But stateful filtering keeps track of established TCP connections. They keep an entry, in a cache for each open TCP connection. An entry of a TCP connection includes the client and the server IP addresses and the client and server port numbers. The client port number information was not fully known when the administrator wrote the rules.

After the TCP connection has been established, the decision to whether or not to allow subsequent TCP packets is based on the contents of the state cache. That is, when a subsequent TCP packet, with the flag SYN unset and the flag ACK set, reaches the firewall, the firewall checks whether an entry for the TCP connection it belongs to already exists in the cache. If the connection is listed in the cache, the packet is allowed through immediately. If no such connection exists, then the packet is rejected. If a TCP connection becomes inactive for too long, the firewall evicts the entry from the cache and blocks the connection.

The tracking of UDP session state is complicated process. UDP protocol relies entirely on ICMP as its error handler. Therfore, ICMP protocol is an important part of an UDP session to be considered when tracking its overall state. For example, in an UDP session, the client or server host may not have sufficient buffer space to process the receiving packets. Consequently, the host may become unable to keep up with the speed at which it is receiving packets.

In case, firewall blocks the ICMP source quench message because it is not part of the normal UDP session, the host that is sending packets too quickly does not know that an issue has come up, and it continues to send at the same speed, resulting in lost packets or creating a DoS attack situation at the receiving host. Therefore, a stateful firewall that tracks UDP session must consider such related ICMP traffic when deciding what traffic should be returned to protected hosts.

THANK YOU

Related Questions

Navigate

• Browse (All)
• Browse I
• Subjects

---

---

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.