1. The purpose of a firewall is to ensure security in communications between internal and external networks.

A firewall allows or disallows communication across the firewall in accordance with a predefined security policy. 2. Firewall implementations: There are different implementations of firewalls. Most notable among these are: a. A firewall implemented with the Packet Filters work at Network Layer of ISO/OSI stack.

b. A firewall implemented with the Application Layer Gateways work at the Application Layer of ISO/OSI stack.

c. A Firewall implemented with stateful technology (like Checkpoint Firewall-1) works at all layers of IS/OSI model. 3. A firewall implemented with stateful inspection technology (FireWall-1 uses stateful inspection) has several advantages over packet filter:

Communication Information Communication Derived State Application Derived State Information Manipulation

Application Layer Gateway Partial No No No

Packet Filters Partial Partial Yes Yes

Stateful Inspection Yes Yes Yes Yes

4. The following information are used by Firewall-1 that uses stateful inspection technology: a. Communication information from different layers of TCP/IP stack b. The state derived from previous communications c. The state derived from other applications, for example, a previously authenticated user would be allowed to access through the firewall for authorized services only.

Stateful Packet Inspection Firewall:

These Firewalls are based on the Filtering of packets at network level these Firewalls examine protocol packet header fields: Src IP Dst IP TCP/UDP Src ports & TCP/UDP Dst Ports. Theyre Stateful because firewall can remember prior connection states and continuously keeps on updating the state of a connection in its Dynamic connection table.

Whenever a Firewall receives a SYN packet initiating a TCP connection, this SYN packet is reviewed against the Firewall Rulebase. If the packet matches a rule its allowed otherwise its denied. However, if the packet is accepted, the session is entered in the Firewalls Stateful connection table, which is located in Kernel Memory. Every packet that follows (that does not have a SYN) is then compared to the Stateful Inspection table. If the session is in the table then it means the packet is a part of an existing session and it is allowed through the firewall. If it does not matches an existing session in the table then it is dropped. This improves the performance as every packet is not compared with the rule base, just the packets which are SYN packets are compared with the Rulebase. All other packets are compared to the state table in Kernel memory (which happens Very fast)

Proxy Server Stateful Firewall:

These Firewalls filter services at the Application level. They will terminate the session at their interface and initiate a separate connection with the internal server, thus taking a little more time in establishing the session. They are by nature slow in processing as they are more application based.

Today, there very less difference between these two firewall technologies as more and more state packet inspection firewall vendors take on a Hybrid approach by combining both the concepts. The main engine of the Stateful firewall is implemented for maintain connection states and then the features such as Virus Scanning, URL filtering, Java/Activex filtering etc are superimposed over it to get the best of both worlds.