The Personal Stateful Firewall uses
Deep Packet Inspection (DPI) functionality to manage application-level traffic
and its state. With the help of DPI functionality, the Personal Stateful
Firewall inspects packets up to Layer-7. It takes application behaviors into
account to verify that all session-related traffic is properly handled and then
decides which traffic to allow into the network.
Different applications follow different rules for communication
exchange so the Personal Stateful Firewall manages the different communication
sessions with different rules through DPI functionality.
The Personal Stateful Firewall also provides inspection and filtering
functionality on application content with DPI. Personal Stateful Firewall is
responsible for performing many simultaneous functions and it detect, allow, or
drop packets at the ingress point of the network.
HTTP Application and State
HTTP is the one of the main protocols used on the Internet today. It
uses TCP as its transport protocol, and its session initialization follows the
standard TCP connection method.
Due to the TCP flow, the HTTP allows an easier definition of the
overall session’s state. It uses a single established connection from the
client to the server and all its requests are outbound and responses are
inbound. The state of the connection matches with the TCP state tracking.
For content verification and validation on the HTTP application
session, the Personal Stateful Firewall uses DPI functionality in the chassis.
PPTP Application and State
Point-to-Point Tunneling Protocol (PPTP) is one of the protocols
widely used to achieve Virtual Private Networks (VPN). PPTP allows the
Point-to-Point Protocol (PPP) to be tunneled through an IP network. PPTP uses
an enhanced GRE (Generic Routing Encapsulation) to carry PPP packets.
PPTP protocol has 2 connection states - Control connection (TCP) and
Data connection (GREv1). PPTP exchanges IP or port specific information over
its control connection and that information will be used to transfer the data
over tunnel. If a PPTP client resides behind NAT and uses private IP to
communicate with the outside world, it is possible that the information
exchange over PPTP control flow has private IPs.
TFTP Application and State
Trivial File Transfer Protocol (TFTP) is an application layer protocol
which is used by File Transfer applications. TFTP uses UDP (User Datagram
Protocol) as its transport protocol and has only basic functionalities. TFTP
file operations include sending a file and receiving a file. TFTP supports
different modes for File Transfer which are netascii, ascii, octet, and binary.
TFTP has two connection states - Control connection and Data
connection that operate on UDP. Initially, TFTP starts the control flow (uses
UDP Port 69) for communicating the type of file operation to be performed. The
Client initiates the connection towards Server on port 69 (UDP). Server replies
to the Client from a port other than 69 and data is transferred in this flow.
Negative reply is sent using different error codes supported by TFTP.
File Transfer Protocol and State
FTP is an application to move files between systems across the
network. This is a two way connection and uses TCP as its transport protocol.
Due to TCP flow, FTP allows an easier definition of the overall
session’s state. As it uses a single established connection from the client to
the server, the state of the connection matches with the TCP state tracking.
Personal Stateful Firewall uses application-port mapping along with
FTP application-level content verification and validation with DPI
functionality in the chassis. It also supports Pinhole data structure and
Initialization, wherein FTP ALG parses FTP Port command to identify the
initiation and termination end points of future FTP DATA sessions. The
source/destination IP and destination Port of FTP DATA session is stored.
When a new session is to be created for a call, a check is made to see
if the source/destination IP and Destination Port of this new session matches
with the values stored. Upon match, a new ACS data session is created.
This lookup in the pinhole list is made before port trigger check and
stateful firewall ruledef match. If the look up returns a valid pinhole then a
particular session is allowed. Whenever a new FTP data session is allowed
because of a pinhole match the associated pinhole is deleted. Pinholes are also
expired if the associated FTP Control session is deleted in, or when the
subscriber call goes down.