Thanks to the members of the Internet Firewalls mailing list for providing
input into this revision.
Trusted Information Systems (TIS) was founded in 1983 in Rockville, Maryland, and has been a developer of Internet security software since the early days of TCP/IP and the ARPAnet. TIS is the developer of the TIS Internet Firewall Toolkit (FWTK), which is freely distributed on the Internet, and in use at over 50,000 Internet sites.
Check Point was founded in 1993 in Tel Aviv, Israel, and is the developer of an enhanced packet filter technology trade-named “Stateful Multilevel Inspection.”
This paper is not strictly a comparison between the two companies or
their products. All information contained herein is general in nature and
applies to all known implementations in both categories.
Before commercial firewalls became available and popular, individuals responsible for administering networks began creating rules to disallow certain unwanted traffic and router vendors worked to provide tools to enable this growing need. Packet filtering at this stage was called “static,” because any desired method of connecting between the internal and external networks must be left open at all times.
The advantages of static packet filtering are:
The disadvantages of static packet filtering is that it:
To address this issue, dynamic packet filtering techniques were developed. Dynamic packet filters open and close “doors” in the firewall based on header information in the data packet as described above. Once a series of packets has passed through the “door” to it’s destination, the firewall closes the door.
Stateful packet filtering is an enhancement to dynamic packet filtering. This technology tries to make sense out of higher-level protocols and adapt filtering rules to accommodate protocol-specific needs (e.g., simulated connections for connectionless protocols such as NFS and RPC services). The stateful packet filter keeps track of state and context information about a session. This technology can be applied to the UDP protocol as well, setting up a virtual session, giving the illusion of security where no security exists. In Check Point’s implementation, this inspection module sits between the Data Link layer and Network layer.
Adding state tracking to a packet filter certainly may increase the security of the basic filter, but does not address the content or implications of the traffic being handled.
The advantages of dynamic packet filtering are that it:
Since packet filters are application-unaware, they can be set up to allow any type of IP traffic to pass through the firewall.
The disadvantages of dynamic packet filtering is that it:
What is commonly known as “spoofing” — pretending to be a trusted IP address as a method of attacking the network behind that device — was a well known vulnerability for Internet sites for many years. Most modern dynamic packet filters include fixes to most known methods of spoofing, but the problem remains in that trust is placed in an external system based on it’s IP address. Even if the incoming traffic is from the proper host, there is no check to confirm that the host is being operated by the authorized owners. In other words, if a hacker has compromised that external host it can be used as a gateway to your internal network.
Further, packet filtering firewalls do not support the concept of strong user authentication. It is a serious breach of network security to allow access from untrusted networks without strong authentication (see the question on strong user authentication). Some packet filter vendors have begun adding rudimentary application gateways to support this need.
One of the advantages of a packet filter over an application gateway is that any type of traffic can be allowed though. This is also one of the greatest areas of concern regarding packet filters. Without knowing what an application is capable of doing to a system on the internal network, there is no way to gauge the threat imposed by that application. Therefore, many dangerous applications are often allowed through packet filter firewalls in typical user implementations.
An application gateway is considered by experts to be the most secure type of firewall. All connections to the internal network go through the firewall. An application level firewall is distinguished by the use of security proxies (application gateways) for services such as FTP, TELNET, etc., which prevent direct access to services on the internal network.
The advantages of application gateways are that they:
Imagine a telephone conversation where you are speaking to your lawyer on one line and he in turn is speaking to a party with whom you want to communicate carefully on another. Since the content and wording of the conversation is critically important, you and your lawyer have decided that the third party will not know who you are, where you are, or even that you explicitly exist. Any attempts to harm you by this connection will be pointed at your lawyer, who is specifically trained for that purpose and is protected by known structures (in this example, legal structures). A packet filter, in this example, would bring the two of you together then leave the room.
To look again at our lawyer example, application gateways perform a similar function as a lawyer would in reading the content of a document before allowing you to act on it. The lawyer must be intimately familiar with the meaning and implications of the contents of the document in relation to their affect on you (the client) and must protect you from taking any action that would be dangerous to your well being. This requires the lawyer to study the pertinent field and to be an expert.
To add a contrast to this example, a packet filter is similar to a lawyer that checks the label of the first piece of mail to come from a specific address, then forwards it and all subsequent documents to you. This lawyer has no expertise on the topic being discussed in the documents, nor does it ever check to make sure the contents do not include a letter bomb.
The disadvantages of some application gateways are that they:
The second disadvantage was the most inconvenient. To be able to speak with the “lawyer” on the firewall, client workstations had to have special versions of the client software installed. With transparency, this requirement goes away.
The last disadvantage is a factor of the level of security desired by the organization using the firewall. An example of this issue is the appearance of a new type of application in use on the external network (read “Internet” for most installations). To be ridiculously clear on this point, we will postulate that this new application is called “Cool Format” — and apparently it is all the rage. Internal users have heard about this new application and insisted that it be allowed into the corporate network from hosts on the Internet. The application gateway approach says that we will not let this traffic through until we know how it works and what can be done to keep it from damaging the internal network. (Research into the application shows that its function is to allow remote users to format hard drives on the client workstation). To complete our lawyer analogy, not running these new applications through an application gateway is like telling your corporate lawyer that she is not to read any contracts in blue envelopes; these will all be signed by the first random employee found in the hallway and returned to their source.
To address this last point in the light of organizational reality, application gateway vendors typically provide tools for the creation of “generic” proxies, and may even permit some form of packet filtering (with disclaimers). The real measure of an application gateway vendor, though, is how quickly they can produce application aware proxies for new and desirable applications.
As stated in the last section, the reason for the difference in speed of packet filters and application gateways is a function of the amount of security provided by the firewall. Fortunately, with current hardware platforms only connections requiring more than 75-100 Mbps throughput per gateway must consider packet filter firewalls. Since T3 (45 Mbps) Internet connections are unusually fast (most organizations use a maximum of T1, or 1.5 Mbps, Internet connections), only Intranet applications on extremely high-speed (ATM or gigabit Ethernet) networks are forced to seriously consider packet filters.
Application gateways are capable of supporting the common applications in use on the Internet. TIS, as an example, maintain a staff of qualified engineers to monitor the emergence of new applications and protocols. As demand for these new services grows, we provide purpose-built proxies for these emerging applications.
Stateful packet filtering is “a new generation of firewall” | As mentioned earlier, this is an arbitrary statement. There are no simple generations of firewalls, and dynamic packet filtering is at best a positive improvement over static packet filter firewalls. |
Stateful packet filtering is “emerging as the industry standard” | The majority of firewalls in use on the Internet are application gateways, and the majority of these use Trusted Information Systems software. The de facto Internet standard is application gateway technology. |
Check Point claims that their SPF technology is capable of accessing, analyzing, and use information from all seven layers in the IP packet. SPF may be “capable” of doing this, but their implementation certainly does not do this for most, if any, of Check Point’s supported network services.
Check Point claims that application gateways will only partially examine communications information and communication-derived state. We do not understand this statement, as application gateways are inherently capable of doing both comprehensively.
Application gateways, of course, are also “Stateful” firewalls. As stated in a May 1997 Gartner Group, “The Stateful firewall may be a proxy gateway or a Stateful inspection firewall. Typical examples include …Trusted Information Systems’ Gauntlet or Check Point’s Firewall-1.”
Check Point claims that their dynamic packet filter product has all the security of an application gateway with the speed of a packet filter. That, on the one hand, it is trivial to add new services with a dynamic packet filter, yet on the other hand they also claim that the filter has application-level knowledge built into it. These two statements are mutually exclusive. For instance, on Check Point’s web page they show how to implement certain new protocols:
Another example is
There are many reasons that most firewall experts consider packet filters inadequate for serious security environments.
As security expert Bill Stout wrote on the firewall mailing list, “The purpose of a security device is to protect a network, not to be fast. Fast is what airline travelers want when passing through airport security, secure is what they want when they tumble through the air after their plane blows up.”
Stateful packet filters may be adequate for low risk Intranets, or in situations where raw throughput has priority over security. Application gateways should be the technology of choice for organizations that are serious about protecting their networks.