Stateful Firewalls: Stateful Inspection and NAT

Today I am going to talk about Firewalls.As many of you asked about the what Firewall actually are and what is the purpose of firewall in the network. I knew most of you already knew it but i am going to cover the aspects of firewall for the beginners. 

What is Firewall and what is the purpose of Firewall ?
Firewalls are basically residing in the network and use for Primary filtering ( it can be physical appliances or VMs) that work at both the network and application layers. Firewall provide a platform for the features/functionality needed for network security like VPNs, NGIPS, Anti-Malware Protection.

We have different types of firewalls- Stateful Firewalls, NGFW and UTM.

Next-generation security should not abandon proven stateful inspection capabilities in favor of application and user ID awareness by itself.Comprehensive network security solution needs include firewalls, next-generation firewalls (application inspection and filtering) and next generation intrusion prevention systems (context aware).

The firewall often is the conduit from which other defense components combat the threats that face the network

How Firewall filters the traffic ?
The genesis of firewalls was initially a means to filter traffic based on the five tuple
  1. Source IP address –the IP address of the initiator of the IP packet
  2. Destination IP Address –the IP address of the destination of the IP packet
  3. Source Port –UDP or TCP port used by initiator to establish communications with destination
  4. Destination Port –UDP or TCP port used by destination to establish communications with source
  5. IP Protocol –the specific IP protocol used in the communication

Stateful Inspection Firewalls
Stateful firewalls track L3/L4 traffic as it leaves and returns to the network. Connections are maintained in the connection table tracking five tuple and additional information such as sequence.

With Stateful Inspection, packets are intercepted at the network layer for best performance (as in packet filters), but then data derived from all communication layers is accessed and analyzed for improved security (compared to layers 4–7 in application-layer gateways). 

Stateful Inspection then introduces a higher level of security by incorporating communication- and application-derived state and context information which is stored and updated dynamically. This provides cumulative data against which subsequent communication attempts can be evaluated. It also delivers the ability to create virtual session information for tracking connection less protocols (for example, RPC and UDP-based applications), something no other firewall technology can accomplish.

Limit outbound connections to known services and hosts such as SMTP servers only for port 25

Fig 1.1- Stateful Inspection and NAT

NAT-Network address translation
Network address translation (NAT) is the mapping of IP addresses from a private network to a public network
  1. NAT gives network administrators and security administrators
  2. Access to non-publically routable IPv4 space
  3. Cost savings because addresses are not cheap
  4. Allows for masquerading of internal network addresses
  5. IPv4 Address space is exhausted
NAT (Network Address Translation) The Network Address Translation that is created on the firewall or by routers and is part of the security fabric for an Enterprise. NAT also became popular due to the shortage of Internet IPv4 unique IP addresses to allow all of the devices to be directly connected to the Internet