|
In computing, a stateful firewall (any firewall that performs stateful packet inspection (SPI) or stateful inspection) is a firewall that keeps track of the state of network connections (such as TCP streams, UDP communication) traveling across it. The firewall is programmed to distinguish legitimate packets for different types of connections. Only packets matching a known active connection will be allowed by the firewall; others will be rejected. Stateful inspection, also referred to as dynamic packet filtering, is a security feature often included in business networks. Check Point Software introduced stateful inspection in the use of its FireWall-1 in 1994.〔(United States Patent 5,606,668 )〕〔(Check Point's Press Release ) “Check Point Introduces Revolutionary Internet Firewall Product Providing Full Internet Connectivity with Security; Wins 'BEST OF SHOW' Award at Networld+Interop ‘94”. 1994-05-06〕 ==History== Before the advent of stateful firewalls, there were ''stateless firewalls'', a firewall that treated each network frame (or packet) in isolation. Packet filters like these operated at the Network Layer (layer 3) and functioned more efficiently because they only looked at the header part of a packet. A drawback of pure packet filters is that they are stateless; they do not keep track of traffic and have no memory of previous packets which makes them vulnerable to spoofing attacks. Such a firewall has no way of knowing if any given packet is part of an existing connection, is trying to establish a new connection, or is just a rogue packet. Modern firewalls are connection-aware (or state-aware), offering network administrators finer-grained control of network traffic. The classic example of a network operation that may fail with a stateless firewall is the File Transfer Protocol (FTP). By design, such protocols need to be able to open connections to arbitrary high ports to function properly. Since a stateless firewall has no way of knowing that the packet destined to the protected network (to some host's destination port 4970, for example) is part of a legitimate FTP session, it will drop the packet. Stateful firewalls with application inspection solve this problem by maintaining a table of open connections, inspecting the payload of some packets and intelligently associating new connection requests with existing legitimate connections. Early attempts at producing firewalls operated at the application layer, which is the very top of the seven-layer OSI model. This method required exorbitant amounts of computing power and is not commonly used in modern implementations. 抄文引用元・出典: フリー百科事典『 ウィキペディア(Wikipedia)』 ■ウィキペディアで「Stateful firewall」の詳細全文を読む スポンサード リンク
|