STATEFUL PACKET INSPECTION FIREWALL

Introduction

The world is just about everything Internet today.

For individuals, the Internet heralds a different lifestyle living in a virtual world. For
corporations, the Internet offers a whole new way of doing business online and new
avenues of making money.

Harnessing the power of the Internet is now no longer a choice in an increasingly

globalized economy; it is a must-have tool to survive, thrive and stay ahead of the
competition.

As companies wire up to the Internet, they are actually establishing physical links
between their private networks with the tens of thousands of unknown networks out
there in cyberspace. This affords a wealth of information, through data-sharing, to
just about anyone with access.

Whilst this interconnectivity enables an efficient pooling of resources across different

networks, it also opens up sensitive, proprietary data of individual networks to
potential abuse, especially if information meant for private consumption falls into the
wrong hands.

With many well-publicized reports of successful cyber-attacks on the world’s most

sophisticated and best designed networks in recent years, ensuring network security
has now become top priority for many system administrators.

In today’s wired context, networking is more than just about efficient connectivity.
More importantly, it is about making data transmission safe and secure for the
delivery of services over the Internet.

Firewall as a Line of Defense

The primary means for most companies for securing their private networks against
unauthorized public access is to set up a firewall.

A firewall is an access control device, performing perimeter security by determining

which packets are allowed or denied into the network. It monitors all traffic entering
and leaving the private network and alerts IT staff to any attempts to circumvent
security or patterns of inappropriate use based on certain criteria like high-volume
packet inspection, internal address masking and hazardous content detection.

If well-deployed, a firewall can provide effective defense against unauthorized access

by external users. In addition to access control, an Internet firewall can also provide
a central system for the administration of other network security measures.

One challenge of setting up any firewall is to configure the right amount of security
to sufficiently “immunize” the network against external hacking without the
imposition of unacceptable limitations on internal users or undue management
complexity.
Stateful Packet Inspection Firewall

A simpler, yet more rigorous method of access control is to implement a firewall like
a Stateful Packet Inspection Firewall (SPI) that analyzes packets in terms of
sessions. How the SPI Firewall works is it will examine all incoming data transmission
– if a packet is deemed a legitimate reply to a previous request from within the
network, the SPI Firewall would permit its passage through. Otherwise, access is
denied. Such an approach allows relatively unrestricted transmission from within the
network, and selective but flexible access from the outside.

The SPI Firewall also uses a monitoring algorithm to track individual connections and
it is also enabled to grant open temporary access in the firewall under appropriate
conditions. For example, packets are allowed to pass only if associated with a valid
session initiated from within the network.
Configuration of Compex’s SPI Firewall

All Compex NetPassage routers are built with SPI Firewall capability. In order to
access the Compex Firewall feature, users need to acquire an access key from the
two Compex websites at www.compex.com.sg or www.cpx.com.

Compex SPI Firewall can stop IP Spoofing, Port Scanning, Ping of Death and
SynFlood.

The Firewall access key can be purchased from the Compex website.

Upon acquiring the Firewall access key, users will need to input the Firewall
parameters before the full Firewall features can be activated. The configuration page
is shown in Figure 1.

Figure 1. SPI Firewall

By default, the Firewall features have been disabled. To activate the SPI Firewall
capability, please select the Enable radio button.

Compex provides a simple and easy setup of the firewall properties. There are 3
radio buttons which allow users to select the security level that they want to have for
 their network. The three levels are namely, Low, Medium, and High level. Each of
these selections provides a different level of security.

Low Medium High

Accepts all ICMP packets *

Allows Domain Name Service (DNS).

The UDP packet uses source port 53
Allows Dynamic Host Control Protocol. (DHCP)

Allow File Transfer Protocol (FTP)

Allows TCP packets with source port 20
Allows to access web pages from outside the network

Support x-stop
The UDP packets uses source port 334 and 1645
*Does not allow ICMP packets that are initiated from outside the network.

Compex SPI Firewall allows you to keep a log file on the handling of the data
packets. To set the information that is recorded in the log file, please click on the
check boxes of the data types.

Figure 2 Log Information Selection

Application Application-layer protocol Underlying Transport Protocol

Electronic mail SMTP TCP
Remote terminal access Telnet TCP
Web HTTP TCP
file transfer FTP TCP
Remote file server NFS typically UDP
Streaming multimedia proprietary typically UDP
Internet telephony proprietary typically UDP
Network Management SNMP typically UDP
Routing Protocol RIP typically UDP
Name Translation DNS typically UDP
Compex SPI Firewall upon setting up has defined a set of default rules as shown in
Figure 3. By activating the firewall, it would activate Rule Number 21 to 26. These
rules are defined in the table below.

Figure 3. Default Firewall Configuration Rule

Rule Description
Number
21 Allows ICMP packets into the network
22 Allows UDP packet generated from
23 Allows TCP packets generated from Port 80 to 83 into the network.

Port 80 – HTTP request

Port 81 – HOSTS2 Name Server
Port 82 – XFER Utility
Port 83 – MIT ML Device
24 Allows TCP packets generated from Port 8080 into the network.

Port 8080 – HTTP request

25 Allows UDP packets generated from Port 334.

Port 334 – X-Stop Server

26 Allows UDP packets generated from Port 1645.

Port 1645 –X-Stop Server

To change the configuration of the Firewall, please select the Add button located at
the bottom of the web page. Upon selection, the Firewall Rule Configuration page will
be flashed on the screen. Please refer to Figure 4. This web page would allow the
setting of your Firewall to meet the security requirements of your network.

Figure 4. Firewall Configuration Rule Page

Rule Number
This is the identifier for the Firewall configuration. Each Firewall setting will be
associated with a rule number. Please enter a number in this field.

Disposition Policy
The value in this parameter would determine the data packet would be accepted or
denied by firewall. Users are allow to select between Accept or Deny to determine
the handling of the data packet by the firewall

Protocols
Users are allowed to select the type of data packet that are allowed into the network.
Users are able to choose from
1. TCP
2. UDP
3. ICMP
4. IGMP
5. All

Transmission Control Protocol (TCP), is one of the main protocols in TCP/IP

networks. Whereas the IP protocol deals only with packets, TCP enables two hosts to
establish a connection and exchange streams of data. TCP guarantees delivery of
data and also guarantees that packets will be delivered in the same order in which
they were sent.

User Datagram Protocol (UDP), a connectionless protocol that, like TCP, runs on
top of IP networks. Unlike TCP/IP, UDP/IP provides very few error recovery services,
offering instead a direct way to send and receive datagrams over an IP network. It's
used primarily for broadcasting messages over a network.

Internet Control Message Protocol (ICMP), is a message control and error-

reporting protocol between a host server and a gateway to the Internet. ICMP uses
Internet Protocol (IP) datagrams, but the messages are processed by the IP software
and are not directly apparent to the application user.

Internet Group Management Protocol (IGMP) is the standard for IP multicasting

in the Internet.
It is used to establish host memberships in particular multicast groups on a single
network. The mechanisms of the protocol allow a host to inform its local router,
using Host Membership Reports, that it wants to receive messages addressed to a
specific multicast group. All hosts conforming to level 2 of the IP multicasting
specification require IGMP.

Note:
If users select either ICMP or IGMP, they are require to make further selection in the
ICMP Types or IGMP Types respectively.
ICMP Types
This protocol is actually part of an IP implementation and is used to report errors in
IP datagram routing. ICMP serves as a form of flow control, although ICMP messages
are neither guaranteed to be received or transmitted. It is merely a way to provide
feedback to the sender of IP datagrams.

Echo request Determines whether an IP node (a host or a router) is available on the network.
Echo reply Replies to an ICMP echo request.
Destination
Informs the host that a datagram cannot be delivered.
unreachable
Informs the host to lower the rate at which it sends datagrams because of
Source quench
congestion.
Redirect Informs the host of a preferred route.
Time exceeded Indicates that the Time-to-Live (TTL) of an IP datagram has expired.
Parameter Problem Informs that host that there is a problem in one the ICMP parameter.
Timestamp Request Information that is from the ICMP data packet.
Information Request Information that is from the ICMP data packet.
Information Reply Information that is from the ICMP data packet.

IGMP Types
This protocol is actually part of an IP implementation and is used to establish host
memberships in particular multicast groups on a single network. The mechanisms of
the protocol allow a host to inform its local router, using Host Membership Reports.

Host Membership Report Information that is from the IGMP data packet.
Host Membership Query Information that is from the IGMP data packet.
Leave Host Message Information that is from the ICMP data packet.

Source IP
This parameter determines the set of workstations that generate the data packets.
Users can either set to a single IP address or set as a range of IP addresses.

Destination IP
This parameter determines the set of workstations that receive the data packets.
Users can either set to a single IP address or set as a range of IP addresses.

Source Port
This parameter determines the application from the specified port number from the
source. Users can either set to a single port number or a range of port numbers.
Port numbers are from 0 to 65536. Ports 0 to 1024 are reserved for use by certain
privileged services. For example, the port number for Telnet is 23 and the port
number for http is 80.

Destination Port
This parameter determines the application from the specified port number from the
destination. Users can either set to a single port number or a range of port numbers.
Check Options
This parameter would determine the check options. The available selection options
are

Abbreviation
SEC Security
LSRR Loose Source Route
Timestamp Timestamp
RR Record Packet Route
SID Satnet ID
SSRR Strict Source Route
RA Router Alert

Check TTL
This parameter would set the checking rule for TTL. It would determine whether the
parameter is equal, less then, greater than or not equal to the TTL value. The
available selection options are

1. Equal
2. Less than
3. Greater than
4. Not equal

Careful planning is always advised prior to the setting up of any firewall as any
incorrect configuration might result in undesirable behavior of the network. This
document has discussed the configuration of the Compex SPI Firewall.

For users who prefer more stringent checks on the data packets that enter their
networks, multiple rules can be set so that users can have a tight secure network.

Please visit our web site at www.compex.com.sg or www.cpx.com to find out more
on our products and firmware updates.