Stateful Packet Inspection firewall is also called Dynamic Packet Filter
firewall. Bacause static packet filter firewall can not handle some
multi-port applications very well, such as FTP and IRC. In order to solve
this problem, dynamic packet filter firewalls monitors and modifies some
application data in packet level, and dynamically opens ports if necessary.
For example, they monitor PORT command from client and PASV response from
server. Besides, they assume that the command or the response are carried in
one packet but none of these application protocols requires this. One of the
most disadvantages of packet filter firewalls is that logged information is
not descriptive enough.
The application gateway firewall operates on the application level, and
checks whether the data follows corresponding protocol or not.
The differences of these 2 types of firewalls are:
1. In application gateway firewall, the direct connection between the client
and the server is disallowed. The firewall connects to the server only after
the 3-setp TCP shakehanding is done between the client and the firewall.
Therefore, the server is not affected by some DoS attacks like Syn-flood.
However, dynamic packet filter firewall has to foreward the syn request to
the server if the firewall allows this service. therefore the server may be
attacked and not work well before the firewall detects the syn-flood.
2. Application gateway firewall only allows well-formatted application data,
and regenerate the packets. So that the session data will not be passed the
server if the data does not follow the correspending protocol. Some attacks
like tiny fragment attack and voerlapping fragment attack are useless to
application gateway firewall.
3. Application gateway firewall has better controllability. The firewall
provides options for administrators to set so that they can disallow some
dangerous operations. For example, the administrator can disallow DELETE
request of HTTP to send to his http server, and disallow any WRITE
operations to his ftp server from Internet.
4. The application gateway firewall generates clear and descriptive log. It
is very helpful for administrators to trace the activities of hackers and
block their further attacks.
Now some of advanced firewalls like Checkpoint, support application gateway
firewall. For example, when the firewalls are required to do HTTP-URL check.
But in this cases, they only allow small number of concurrent connections.
But ITShield firewall (http://www.itshield.com) handles all the sessions in
application-level by default. It can handle more than 5000 TCP sessions,
unlimited UDP sessions, and unlimited IP sessions at application-level in
We need a firewall because we want the best protection for our networks.
> > There is a firewall called ITShield firewall (http://www.itshield.com).
> > Because application proxy provides the highest level of security and
> Ok I won't start a debate here but ... where's the difference between
> a *good & solid* STATEFUL packet filter and that critter ? If you know
> how to setup filtering rules there's no need for proxies or the like imo.
> In any case ... that was just my 2 cents, free of using whatever you like