Application Gateways and Stateful Inspection:

A Brief Note Comparing and Contrasting

Avolio and Blask
Trusted Information System, Inc.
Revised: 1/22/98

Introduction

The Internet Security industry has grown tremendously in the past several years: the increase in demand for related products has far outstripped even this rapid expansion. There has subsequently developed a state of confusion among those in purchasing positions as to the concrete qualities of competing products. We wrote this paper to clarify one of the issues currently under debate in the Internet Security market: packet filter versus application gateway technology as a basis for secure connection to the Internet.

Thanks to the members of the Internet Firewalls mailing list for providing input into this revision.
 

Representative Vendors

The leading vendors in these two categories are Trusted Information Systems, with a transparent application gateway and Check Point, with a stateful packet filter gateway.

Trusted Information Systems (TIS) was founded in 1983 in Rockville, Maryland, and has been a developer of Internet security software since the early days of TCP/IP and the ARPAnet. TIS is the developer of the TIS Internet Firewall Toolkit (FWTK), which is freely distributed on the Internet, and in use at over 50,000 Internet sites.

Check Point was founded in 1993 in Tel Aviv, Israel, and is the developer of an enhanced packet filter technology trade-named "Stateful Multilevel Inspection."

This paper is not strictly a comparison between the two companies or their products. All information contained herein is general in nature and applies to all known implementations in both categories.
 

An Overview and Comparison

Firewalls have evolved over the past ten years through a series of "generations". It is possible to arrange these to fit various needs, but the most direct approach is to look at our two categories separately.
 

Packet Filtering ó First Generation

Packet filtering is a process of allowing or denying the passage of traffic between networks based on the information in the header of each packet of data. Source, destination, port (service) and some other information is available to a packet filtering device for use in establishing rules to allow or deny the flow of network traffic.

Before commercial firewalls became available and popular, individuals responsible for administering networks began creating rules to disallow certain unwanted traffic and router vendors worked to provide tools to enable this growing need. Packet filtering at this stage was called "static," because any desired method of connecting between the internal and external networks must be left open at all times.

The advantages of static packet filtering are:

Because it does very little work outside of routing traffic, the overhead is extremely low, so near or at hardware speed traffic is likely. The ability to setup packet filters is standard in most Internet Connectivity hardware (usually routers) and a typical System Administrator can make some inroads into controlling traffic through this device. Packet filtering is also always helpful for managing traffic on networks.

The disadvantages of static packet filtering is that it:

Some organizations today still use static packet filtering as a security measure. In many cases this is due to either their newness to the Internet, legacy installations or use as a minimum-security measure.

Packet Filtering Ė Second Generation

The most obvious disadvantage of static packet filters is the array of "doors" that must be left open at all times to allow desired traffic. This weakness made sites with static packet filters open to a wide range of attacks preying on the security of hosts on the internal networks. Since host security is often treated as a lower priority by organizations, these types of attacks were and are frequently successful.

To address this issue, dynamic packet filtering techniques were developed. Dynamic packet filters open and close "doors" in the firewall based on header information in the data packet as described above. Once a series of packets has passed through the "door" to itís destination, the firewall closes the door.

Stateful packet filtering is an enhancement to dynamic packet filtering. This technology tries to make sense out of higher-level protocols and adapt filtering rules to accommodate protocol-specific needs (e.g., simulated connections for connectionless protocols such as NFS and RPC services). The stateful packet filter keeps track of state and context information about a session. This technology can be applied to the UDP protocol as well, setting up a virtual session, giving the illusion of security where no security exists. In Check Pointís implementation, this inspection module sits between the Data Link layer and Network layer.

Adding state tracking to a packet filter certainly may increase the security of the basic filter, but does not address the content or implications of the traffic being handled.

The advantages of dynamic packet filtering are that it:

Since the amount of time a hole in the perimeter is open is greatly reduced, many types of attacks that work against static packet filters are more difficult or perhaps impossible to use against a dynamic packet filter. Again, because there is very little work done outside of routing traffic the overhead is relatively low. Therefore, similar hardware platforms will often produce higher throughput when using dynamic packet filtering techniques than when using application gateways.

Since packet filters are application-unaware, they can be set up to allow any type of IP traffic to pass through the firewall.

The disadvantages of dynamic packet filtering is that it:

While dynamic packet filtering does well in reducing the amount of exposure, external systems, under the control of the firewall, still are able to make an IP connection with an internal machine as the endpoint. The primary disadvantage of any packet filtering gateway is that once access has been granted by the device to a host on the internal network, the attacker has direct access to any exploitable weaknesses in either the software or the configuration of that host. The ability to jump off to other internal hosts from that point is restrained only by the security present on those hosts.

What is commonly known as "spoofing" ó pretending to be a trusted IP address as a method of attacking the network behind that device ó was a well known vulnerability for Internet sites for many years. Most modern dynamic packet filters include fixes to most known methods of spoofing, but the problem remains in that trust is placed in an external system based on itís IP address. Even if the incoming traffic is from the proper host, there is no check to confirm that the host is being operated by the authorized owners. In other words, if a hacker has compromised that external host it can be used as a gateway to your internal network.

Further, packet filtering firewalls do not support the concept of strong user authentication. It is a serious breach of network security to allow access from untrusted networks without strong authentication (see the question on strong user authentication). Some packet filter vendors have begun adding rudimentary application gateways to support this need.

One of the advantages of a packet filter over an application gateway is that any type of traffic can be allowed though. This is also one of the greatest areas of concern regarding packet filters. Without knowing what an application is capable of doing to a system on the internal network, there is no way to gauge the threat imposed by that application. Therefore, many dangerous applications are often allowed through packet filter firewalls in typical user implementations.

Application Gateways ó First Generation

An application gateway is a firewall system in which service is provided by processes that maintain complete TCP connection state and sequencing. Application gateway firewalls often re-address traffic so that outgoing traffic appears to have originated from the firewall, rather than the internal host.

An application gateway is considered by experts to be the most secure type of firewall. All connections to the internal network go through the firewall. An application level firewall is distinguished by the use of security proxies (application gateways) for services such as FTP, TELNET, etc., which prevent direct access to services on the internal network.

The advantages of application gateways are that they:

The primary advantage of application gateway firewalls is that no direct connections are allowed through the firewall under any circumstances. Application gateway software is also referred to as proxy software, because the application gateway software running on the firewall "stands in the gap" and looks like server software to the client, and client software to server.

Imagine a telephone conversation where you are speaking to your lawyer on one line and he in turn is speaking to a party with whom you want to communicate carefully on another. Since the content and wording of the conversation is critically important, you and your lawyer have decided that the third party will not know who you are, where you are, or even that you explicitly exist. Any attempts to harm you by this connection will be pointed at your lawyer, who is specifically trained for that purpose and is protected by known structures (in this example, legal structures). A packet filter, in this example, would bring the two of you together then leave the room.

To look again at our lawyer example, application gateways perform a similar function as a lawyer would in reading the content of a document before allowing you to act on it. The lawyer must be intimately familiar with the meaning and implications of the contents of the document in relation to their affect on you (the client) and must protect you from taking any action that would be dangerous to your well being. This requires the lawyer to study the pertinent field and to be an expert.

To add a contrast to this example, a packet filter is similar to a lawyer that checks the label of the first piece of mail to come from a specific address, then forwards it and all subsequent documents to you. This lawyer has no expertise on the topic being discussed in the documents, nor does it ever check to make sure the contents do not include a letter bomb.

The disadvantages of some application gateways are that they:

This first will always apply to an application gateway because an application gateway firewall is often doing more security work. If the contents of every "document" (to stick with our lawyer analogy for another moment) are examined in detail, the process will always take longer than simply sorting the mail. Fortunately, this overhead is easily handled by typical server hardware platforms. The throughput of an application gateway will usually be much higher than the connection to the external network.

The second disadvantage was the most inconvenient. To be able to speak with the "lawyer" on the firewall, client workstations had to have special versions of the client software installed. With transparency, this requirement goes away.

The last disadvantage is a factor of the level of security desired by the organization using the firewall. An example of this issue is the appearance of a new type of application in use on the external network (read "Internet" for most installations). To be ridiculously clear on this point, we will postulate that this new application is called "Cool Format" ó and apparently it is all the rage. Internal users have heard about this new application and insisted that it be allowed into the corporate network from hosts on the Internet. The application gateway approach says that we will not let this traffic through until we know how it works and what can be done to keep it from damaging the internal network. (Research into the application shows that its function is to allow remote users to format hard drives on the client workstation). To complete our lawyer analogy, not running these new applications through an application gateway is like telling your corporate lawyer that she is not to read any contracts in blue envelopes; these will all be signed by the first random employee found in the hallway and returned to their source.

To address this last point in the light of organizational reality, application gateway vendors typically provide tools for the creation of "generic" proxies, and may even permit some form of packet filtering (with disclaimers). The real measure of an application gateway vendor, though, is how quickly they can produce application aware proxies for new and desirable applications.

Transparent Application Gateways ó Second Generation

Transparency is the major development in the second generation of application gateways. One of the most onerous drawbacks of earlier application gateways was that each workstation behind the firewall must be configured to be aware of the firewall and must have client software that is designed to be capable of communicating with the proxy software on the firewall. The introduction of transparency in application gateways means that in modern secure environments the client workstations do not either have to be aware of the firewall or run special software to communicate with the external network.

As stated in the last section, the reason for the difference in speed of packet filters and application gateways is a function of the amount of security provided by the firewall. Fortunately, with current hardware platforms only connections requiring more than 75-100 Mbps throughput per gateway must consider packet filter firewalls. Since T3 (45 Mbps) Internet connections are unusually fast (most organizations use a maximum of T1, or 1.5 Mbps, Internet connections), only Intranet applications on extremely high-speed (ATM or gigabit Ethernet) networks are forced to seriously consider packet filters.

Application gateways are capable of supporting the common applications in use on the Internet. TIS, as an example, maintain a staff of qualified engineers to monitor the emergence of new applications and protocols. As demand for these new services grows, we provide purpose-built proxies for these emerging applications.

Specific Claims and Counterpoints

In Check Pointís original technical note on stateful packet filtering entitled "Stateful Inspection Firewall Technology," the writers make certain initial claims.
 
 
Stateful packet filtering is "a new generation of firewall" As mentioned earlier, this is an arbitrary statement. There are no simple generations of firewalls, and dynamic packet filtering is at best a positive improvement over static packet filter firewalls.
Stateful packet filtering is "emerging as the industry standard" The majority of firewalls in use on the Internet are application gateways, and the majority of these use Trusted Information Systems software. The de facto Internet standard is application gateway technology.
 

Check Point claims that their SPF technology is capable of accessing, analyzing, and use information from all seven layers in the IP packet. SPF may be "capable" of doing this, but their implementation certainly does not do this for most, if any, of Check Pointís supported network services.

Check Point claims that application gateways will only partially examine communications information and communication-derived state. We do not understand this statement, as application gateways are inherently capable of doing both comprehensively.

Application gateways, of course, are also "Stateful" firewalls. As stated in a May 1997 Gartner Group, "The Stateful firewall may be a proxy gateway or a Stateful inspection firewall. Typical examples include ÖTrusted Information Systemsí Gauntlet or Check Pointís Firewall-1."

Check Point claims that their dynamic packet filter product has all the security of an application gateway with the speed of a packet filter. That, on the one hand, it is trivial to add new services with a dynamic packet filter, yet on the other hand they also claim that the filter has application-level knowledge built into it. These two statements are mutually exclusive. For instance, on Check Pointís web page they show how to implement certain new protocols:

Instructions for adding Sybase SQL server support to FireWall-1:
Sybase SQL uses TCP ports above 1024. The port used is defined in the configuration of the Sybase server.
To configure FireWall-1 for use with Sybase SQL:
1. From the GUI, add a TCP service called Sybase SQL Server.
   Define this port as using the port defined in the SQL server configuration.
2. Accept this service in the Rulebase.
There is no indication in this configuration that the firewall has any knowledge of the internals of Sybase SQL traffic.

Another example is

Instructions for adding Microsoft NetMeeting support to FireWall-1:
Add TCP port 1503 in GUI.
Again, there appears to be no knowledge of the function of the application whatsoever in this configuration. In contrast, the NetMeeting proxy that comes with the Gauntlet Internet Firewall provides several forms of access control including host-based access and ACLs for user name equivalents. "Quick and easy" additions to stateful packet filters cannot do these things.

Uses for Application Gateway and Stateful Packet Filter Security

We strongly believe that customers who are serious about security, application gateways are the only answer for external firewall technology. However, stateful packet filters may be an adequate solution for Intranets, organizations with lower risks or as a front-end coarse filter to an application gateway. Internet Service Providers and sites using the stateful packet filter to protect an outside server machine (such as a web server) are potential candidates for dynamic or stateful packet filter firewalls.

There are many reasons that most firewall experts consider packet filters inadequate for serious security environments.

Packet filters are less granular (look less deeply into the communication stream) and do less security work than application gateways. Therefore, they are insufficient for applications where serious security is needed. Things you cannot do with packet filters include: Check Point has added some of these features into their once purely stateful packet filter by adding application gateway software (proxies), making Firewall-1 a hybrid firewall.

Final Thoughts

Some have stated that stateful packet filters are faster than application gateways. No doubt that they should be faster ó as implemented, they do less work, less security processing. Stateful packet filters are less granular than application gateways; they do not do any verification of the protocol. An application gateway looks more closely at the data.

As security expert Bill Stout wrote on the firewall mailing list, "The purpose of a security device is to protect a network, not to be fast. Fast is what airline travelers want when passing through airport security, secure is what they want when they tumble through the air after their plane blows up."

Stateful packet filters may be adequate for low risk Intranets, or in situations where raw throughput has priority over security. Application gateways should be the technology of choice for organizations that are serious about protecting their networks.