F Stateful Inspection Packet Filtering Explained

Most firewalls work, at least in part, by packet filtering—that is, they block or allow transmissions depending on the content of each packet that reaches the firewall. A packet filter examines several attributes of each packet and can either route it (that is, forward it to the intended destination computer) or block it, based on any of these attributes:

• Source address The IP address of the computer that generated the packet

• Destination address The IP address of the packet's intended target computer

• Network protocol The type of traffic, such as Internet Protocol (IP)

• Transport protocol The higher level protocol, such as Transmission Control Protocol (TCP) or User Datagram Protocol (UDP)

• Source and destination ports The number that communicating computers use to identify a communications channel

Packet filtering alone is an inadequate solution; incoming traffic that meets all the packet filter criteria could still be something you didn't ask for or want. Stateful-inspection packet filtering goes a step further by restricting incoming traffic to responses to requests from your computer. Here's a simplified example of how stateful-inspection filtering works to allow "good" incoming traffic:

1. You enter a URL in your browser's address bar.

2. The browser sends one or more packets of data, addressed to the web server. The destination port is 80, the standard port for HTTP web servers; the source port is an arbitrary number from 1024 through 65535.

3. The firewall saves information about the connection in its state table, which it will use to validate returning inbound traffic .

4. After the web server and your computer complete the handshaking needed to open a TCP connection, the web server sends a reply (the contents of the webpage you requested) addressed to your computer's IP address and source port

5. The firewall receives the incoming traffic and compares its source and destination addresses and ports with the information in its state table. If the information matches, the firewall permits the reply to pass through to the browser. If the data doesn't match in all respects, the firewall silently discards the packet.

6. Your browser displays the received information.

Compared with the firewall included in Windows XP, Windows Firewall has been enhanced in several ways:

• Windows Firewall supports monitoring and control of both incoming and outgoing network traffic.

• Through its Windows Firewall With Advanced Security console, Windows Firewall provides far more configuration options, and it can be configured remotely. A new wizard makes it easier to create and configure rules . Configuration of Internet Protocol security (IPsec)—a mechanism that provides for authentication, encryption, and filtering of network traffic—is also done in the Windows Firewall With Advanced Security console.

• In addition to the usual criteria (addresses, protocols, and ports), firewall rules can be configured for services, Active Directory accounts and groups, source and destination IP addresses for incoming and outgoing traffic, transport protocols other than TCP and UDP, network connection types, and more.

• Windows Firewall maintains three separate profiles, with the appropriate one selected depending on whether the computer is connected to a domain, a private nondomain network, or a public network.

Note that, if you use Windows XP Mode, the virtual machine should have its own firewall enabled. Because the virtual machine runs Windows XP Service Pack 3 (SP3), it uses the Windows XP firewall. For more information about XP Mode, see "Running Legacy Applications in Windows XP Mode" on page 164.

Was this article helpful?

0 0
Digital Cancers

Digital Cancers

Get All The Support And Guidance You Need To Be A Success At Protecting Your PC. This Book Is One Of The Most Valuable Resources In The World When It Comes To The Damaging Facts About Computer Viruses.

Get My Free Ebook

Post a comment