Firewalls (NEEDS WORK) Flashcards
Stateful Firewall
A stateful firewall is a kind of firewall that keeps track and monitors the state of active network connections while analyzing incoming traffic and looking for potential traffic and data risks. This firewall is situated at Layers 3 and 4.
Basic firewall features include blocking traffic designated as dangerous from either coming into a network or leaving it. It is important to monitor the state and context of network communications because this information can be used to identify threats—either based on where they are coming from, where they are going, or the content of their data packets.
Stateful Packet Inspection
Stateful packet inspection is a technology used by stateful firewalls to determine which packets to allow through the firewall. It works by examining the contents of a data packet and then comparing them against data pertaining to packets that have previously passed through the firewall.
Stateful packet filtering keeps track of all connections on the network, making sure they are all legitimate. Network-based static packet filtering also examines network connections, but only as they come in, focusing on the data in the packets’ headers. This data provides less information to the firewall, limiting it to where it came from and where it is going.
TCP
TCP is one of the primary protocols the internet uses to send and receive data, allowing data to be sent and received at the same time. In addition to helping transmit information, TCP contains data that can result in a reset (RST) of the connection, stopping it completely. TCP also dictates when the transmission should end with a FIN (finish) command. It groups data into packets, and when they arrive at the destination, the packets are reassembled into data the receiver can understand.
Stateful firewalls use TCP traffic to keep track of connections by examining the contents of the packets created in the TCP process. The three stages of a TCP connection—synchronize (SYN), synchronize-acknowledge (SYN-ACK), and acknowledge (ACK)—are used by a stateful inspection firewall to identify the parties involved in order to spot a potential threat. If signs of a bad actor are revealed as the TCP handshake takes place, the stateful firewall can discard the data.
Three-way Handshake
The three-way handshake involves both sides of the data transmission process synchronizing to initiate a connection, then acknowledging each other. In this process, each side transmits information to the other side, and these are examined to see if anything is missing or not in the proper order.
As the handshake occurs, a stateful firewall can examine the data being sent and use it to glean information regarding the source, destination, how the packets are sequenced, and the data within the packet itself. If threats are detected, the firewall can reject the data packets.