A Model of Stateful Firewalls and its Properties Mohamed G. Gouda and Alex X. Liu1 Department of Computer Sciences, The University of Texas at Austin, Austin, Texas 78712-1188, U.S.A. Email: {gouda, alex}@cs.utexas.edu Abstract deployed in most businesses and institutions for securing private networks. A firewall is placed at the point of entry We propose the first model of stateful firewalls. In this between a private network and the outside Internet so that model, each stateful firewall has a variable set called the all incoming and outgoing packets have to pass through it. state of the firewall, which is used to store some packets The function of a firewall is to map each incoming or out- that the firewall has accepted previously and needs to re- going packet to one of a set of predefined decisions, such as member in the near future. Each stateful firewall consists of accept or discard. Based on how a decision is made for ev- two sections: a stateful section and a stateless section. Upon ery packet, firewalls are categorized into stateless firewalls receiving a packet, the firewall processes it in two steps. In and stateful firewalls. If a firewall decides the fate of every the first step, the firewall augments the packet with an ad- packet solely by examining the packet itself, then the fire- ditional field called the tag, and uses the stateful section to wall is called a stateless firewall. If a firewall decides the compute the value of this field according to the current state fate of some packets not only by examining the packet it- of the firewall. In the second step, the firewall compares self but also by examining the packets that the firewall has the packet together with its tag value against a sequence of accepted previously, then the firewall is called a stateful fire- rules in the stateless section to identify the first rule that the wall. Using a stateful firewall to protect a private network, packet matches: the decision of this rule determines the fate one can achieve finer access control by tracking the commu- of the packet. Our model of stateful firewalls has several nication state between the private network and the outside favorable properties. First, despite its simplicity, it can ex- Internet. For example, a stateful firewall can refuse to ac- press a variety of state tracking functionalities. Second, it cept any packet from a remote host to a local host unless the allows us to inherit the rich results in stateless firewall de- local host has previously sent a packet to the remote host. sign and analysis. Third, it provides backward compatibil- Although a variety of stateful firewall products have ity such that a stateless firewall can also be specified using been available and deployed on the Internet for some time, our model. This paper goes beyond proposing this state- such as Cisco PIX Firewalls [4], Cisco Reflexive ACLs [5], ful firewall model itself. A significant portion of this paper CheckPoint FireWall-1 [3] and Netfilter/IPTables [13], no is devoted to analyzing the properties of stateful firewalls model for specifying stateful firewalls exists. The lack of that are specified using our model. We outline a method for such a model constitutes a significant impediment for fur- verifying whether a firewall is truly stateful. The method ther development of stateful firewall technologies. First, is based on the three properties of firewalls: conforming, without a model, it is difficult to conduct research on state- grounded, and proper. We show that if a firewall satisfies ful firewalls. This explains why so little research on state- these three properties, then the firewall is truly stateful. ful firewalls has been done so far. In contrast, benefit- ing from the well-established rule based model of stateless firewalls, the research results for stateless firewalls have 1 Introduction been numerous. People have known how to design state- less firewalls [2, 7, 8, 10] and how to analyze stateless fire- walls [1, 6, 9, 11, 12, 16]. But the question of how to design Serving as the first line of defense against unauthorized and analyze stateful firewalls remains unanswered. Second, and potentially malicious traffic, firewalls have been widely because there is no specification model for stateful firewalls, 1Alex X. Liu is the corresponding author of this paper. in existing stateful firewall products, state tracking func- Proceedings of the 2005 International Conference on Dependable Systems and Networks (DSN’05) 0-7695-2282-3/05 $20.00 © 2005 IEEE Authorized licensed use limited to: Michigan State University. Downloaded on October 21, 2009 at 22:54 from IEEE Xplore. Restrictions apply. tionalities have been hard coded and different vendors hard walls that are specified using our model. In Section 4, we code different state tracking functionalities. For example, discuss how to remove packets that are no longer needed the Cisco PIX Firewalls do not track the state for ICMP from the state of a firewall. In Section 5, we study the issues packets. Consequently, it is hard for the administrator of related to firewall states. In Section 6, we present a method such a firewall to track the Ping [14] protocol. Last, without for verifying that a firewall is truly stateful. In Section 7, a specification model, it is difficult to analyze the properties we give concluding remarks. of stateful firewalls. For example, it is difficult to analyze For simplicity, in the rest of this paper, we use “firewall” the properties of existing stateful firewalls because some of to mean “stateful firewall” unless otherwise specified. the functions of these firewalls are hard coded while others are specified by their administrators. All in all, a specifica- tion model for stateful firewalls is greatly needed. 2 Firewall Model In this paper, we propose the first stateful firewall model. In our firewall model, each firewall has a variable set called In this section, we introduce our firewall model through the state of the firewall, which is used to store some pack- an example of a simple firewall that resides on the gateway ets that the firewall has accepted previously and needs to router depicted in Figure 1. This router has two interfaces: remember in the near future. Each firewall consists of two interface 0, which connects the router to the outside Inter- sections: a stateful section and a stateless section. Each sec- net, and interface 1, which connects the router to a private tion consists of a sequence of rules. For every packet, the network. stateful section is used to check whether the state has a pre- vious packet that may affect the fate of the current packet. Firewall Mail Server To store this checking result, we assume that each packet (Gateway Router) (IP: 192.1.2.3) Host 1 Host 2 has an additional field called the tag. The stateless section is used to decide the fate of each packet based on the infor- Internet CISCOSYSTEMS mation in the packet itself and its tag value. 0 1 Our stateful firewall model has the following favorable A private network properties. First, it can express a variety of state tracking functionalities. Using a set of packets to record communi- cation state provides a great deal of flexibility in expressing Figure 1. A firewall for a private network state tracking functionalities since the state of a communi- cation protocol is characterized by packets. In a sense, our stateful firewall model captures the essence of communica- tion states. Second, because we separate a firewall into a This firewall tracks the Ping protocol (Packet Internet stateful section and a stateless section, we can inherit the Groper Protocol) [14] to counter “smurf” attacks. The Ping existing rich results in designing and analyzing stateless protocol is used by a host to determine whether another host firewalls because a stateless section alone is in fact a full- is up. When a host A wants to test whether a host B is up, fledged stateless firewall. Third, our model is simple, easy A sends to B a series of ICMP (Internet Control Message to use, easy to understand, and easy to implement. Last, our Protocol) ping (i.e., echo request) packets. All of these ping model is a generalization of the current stateless firewall packets have the same ID but different sequence numbers. model. Although our model is intended to specify stateful When B receives from A a ping packet with ID x and se- firewalls, it can also be used to specify stateless firewalls, quence number y, B sends back to A a pong (i.e., echo simply by leaving the stateful section empty and keeping reply) packet with the same ID x and the same sequence the state empty. number y. The “smurf” attack, a type of Denial of Service This paper goes beyond proposing the stateful firewall attack, works as follows. An attacker sends a ping packet, model itself. A significant portion of this paper is devoted to whose source IP address has been forged to be the IP ad- analyzing the properties of stateful firewalls that are spec- dress of a victim host, to the broadcast address of a subnet- ified using our model. We outline a method for verifying work. Subsequently, every host on the subnetwork will send that a firewall is truly stateful. The method is based on three a pong packet to the victim host. properties of firewalls: conforming, grounded, and proper. One way to counter “smurf” attacks for a private network We show that if a firewall satisfies these three properties, is to use a firewall to discard every incoming pong packet then the firewall is truly stateful.