Symantec™ Security Gateways Reference Guide - Sawmill

18 Network security overviewSecurity considerationsStateful packet filterStateful packet filtering security gateways build on the functionality of simple packet filtering securitygateways by extracting certain well-known bit patterns in the protocol headers of TCP and UDPconnections. They create and maintain a table of established, open TCP and UDP connections, and thenexamine and compare header information of each packet that passes through the security gateway. Thisstate information is used to track open, valid connections without having to process the rule set for eachpacket. Only the first packet of a connection is approved; subsequent connection packets are recognizedand allowed unchecked.Stateful packet filters have a number of weaknesses, including:■■■■■■■Inability to protect against application-level attacksSusceptibility to sophisticated IP fragmentation and IP source routing attacksNo control of application-specific operations, such as read/write or put/getConfiguration in the proper order to work as intendedInability to automatically perform address hidingSusceptibility to routing-based attacks or to failing openComplex configurationCircuit-levelUnlike Symantec security gateways, which look for application-level data before allowing a connection,circuit-level security gateways operate at the session level. They typically rely on a state table containing alist of valid connections. Subsequent TCP and UDP connections are allowed based on comparison with theinformation in the state table.The downside to this approach is that it works at the session layer only. Once a session is established, thesecurity gateway might allow any type of traffic to pass through. This is inherently less secure thanproxying connections at the application level, and might leave the protected network open to attacks thatexploit the security gateway’s lack of contextual information. This lack of contextual information alsomakes it difficult to distinguish between different types of traffic for the same protocol, like FTP gets andFTP puts.Application-proxy firewallMany consider application-proxy firewalls offer the most robust inspection of packets. Not only can youreview the source IP address, destination IP address, and ports to determine whether to allow or deny thepacket, but you can also perform a full inspection of the data. Because application proxies get informationabout a packet at any layer of the network stack, they are capable of detecting many attacks that otherfirewall types miss. For example, an application proxy for HTTP can block the traffic based on an illegal ormalformed HTTP command, where firewall types like packet filter or circuit-level have no knowledge of thedata in the packets.One major drawback to application-proxy firewalls is that they generally perform most of the work inapplication space. This makes them inherently slower than other types of firewalls as packets must travelto the uppermost layers of the network stack for processing.Symantec hybrid security gatewaySymantec’s security gateways are hybrid firewalls that offers the following advantages:■■■True packet filter.Optional stateful packet inspection and the ability to speed up traffic throughput with its fast pathmechanism.Application proxies that are RFC-compliant and protect against well-known attacks through protocolanomaly detection (PAD).