Define stateful firewall configurations
The Workload Security stateful firewall configuration mechanism analyzes each packet in the context of traffic history, correctness of TCP and IP header values, and TCP connection state transitions. In the case of stateless protocols like UDP and ICMP, a pseudo-stateful mechanism is implemented based on historical traffic analysis. Packets are handled by the stateful mechanism as follows:
- A packet is passed to the stateful routine if it has been allowed through by the static firewall rule conditions,
- The packet is examined to determine whether it belongs to an existing connection, and
- The TCP header is examined for correctness (e.g. sequence numbers, flag combinations, etc.).
To create a new stateful configuration, you need to:
- Add a stateful configuration .
- Enter stateful configuration information.
- Select packet inspection options.
When you're done with your stateful configuration, you can also learn how to
- See policies and computers a stateful configuration is assigned to
- Export a stateful configuration
- Delete a stateful configuration
There are three ways to define a stateful configuration on the Policies > Common Objects > Other > Firewall Stateful Configurations page:
- Create a new configuration. Click New > New Firewall Stateful Configuration.
- Import a configuration from an XML file. Click New > Import From File.
- Copy and then modify an existing configuration. Right-click the configuration in the Firewall Stateful Configurations list and then click Duplicate. To edit the new configuration, select it and then click Properties.
Enter a Name and Description for the configuration.
You can define options for IP, TCP, UDP and ICMP packet inspection, end enable Active or Passive FTP.
IP packet inspection
Under the General tab, select the Deny all incoming fragmented packets to drop any fragmented packets. Dropped packets will bypass fragmentation analysis and generate an "IP fragmented packet" log entry. Packets with a total length smaller than the IP header length are dropped silently.
- Invalid fragmentation flags/offset: A packet is dropped when either the DF and MF flags in the IP header are set to 1, or the header contains the DF flag set to 1 and an Offset value different than 0.
- First fragment too small: A packet is dropped if its MF flag is set to 1, its Offset value is at 0, and it has total length of less than 120 bytes (the maximum combined header length).
- IP fragment out of boundary: A packet is dropped if its Offset flag value combined with the total packet length exceeds the maximum datagram length of 65535 bytes.
- IP fragment offset too small: A packet is dropped if it has a non-zero Offset flag with a value that is smaller than 60 bytes.
Under the TCP tab, select which of the following options you would like to enable:
- Deny TCP packets containing CWR, ECE flags: These flags are set when there is network congestion.
RFC 3168 defines two of the six bits from the Reserved field to be used for ECN (Explicit Congestion Notification), as follows:
Automated packet transmission (such as that generated by a denial of service attack, among other things) will often produce packets in which these flags are set.
- Bits 8 to 15: CWR-ECE-URG-ACK-PSH-RST-SYN-FIN
- TCP Header Flags Bit Name Reference:
- Bit 8: CWR (Congestion Window Reduced) [RFC3168]
- Bit 9: ECE (ECN-Echo) [RFC3168]
- Enable TCP stateful inspection: Enable stateful inspection at the TCP level. If you enable stateful TCP inspection, the following options become available:
- Enable TCP stateful logging: TCP stateful inspection events will be logged.
- Limit the number of incoming connections from a single computer to: Limiting the number of connections from a single computer can lessen the effect of a denial of service attack.
- Limit the number of outgoing connections to a single computer to: Limiting the number of outgoing connections to a single computer can significantly reduce the effects of Nimda-like worms.
- Limit the number of half-open connections from a single computer to: Setting a limit here can protect you from DoS attacks like SYN Flood. Although most servers have timeout settings for closing half-open connections, setting a value here can prevent half-open connections from becoming a significant problem. If the specified limit for SYN-SENT (remote) entries is reached, subsequent TCP packets from that specific computer will be dropped.
When deciding on how many open connections from a single computer to allow, choose your number from somewhere between what you would consider a reasonable number of half-open connections from a single computer for the type of protocol being used, and how many half-open connections from a single computer your system can maintain without getting congested.
- Enable ACK Storm protection when the number of already acknowledged packets exceeds: Set this option to log an event that an ACK Storm attack has occurred.
ACK Storm protection options are only available on Deep Security Agent 8.0 and earlier.
- Drop Connection when ACK Storm detected: Set this option to drop the connection if such an attack is detected.
Under the FTP Options tab, you can enable the following options:
- Allow Incoming: Allow Active FTP when this computer is acting as a server.
- Allow Outgoing: Allow Active FTP when this computer is acting as client.
- Allow Incoming: Allow Passive FTP when this computer is acting as a server.
- Allow Outgoing: Allow Passive FTP when this computer is acting as a client.
UDP packet inspection
Under the UDP tab, you can enable the following options:
Enable UDP stateful inspection: Select to enable stateful inspection of UDP traffic.
The UDP stateful mechanism drops unsolicited incoming UDP packets. For every outgoing UDP packet, the rule will update its UDP "stateful" table and will then only allow a UDP response if it occurs within 60 seconds of the request. If you wish to allow specific incoming UDP traffic, you will have to create a Force Allow rule. For example, if you are running a DNS server, you will have to create a Force Allow rule to allow incoming UDP packets to destination port 53.Without stateful inspection of UDP traffic, an attacker can masquerade as a DNS server and send unsolicited UDP "replies" from source port 53 to computers behind a firewall.
- Enable UDP stateful logging: Selecting this option will enable the logging of UDP stateful inspection events.
ICMP packet inspection
Under the ICMP tab, you can enable the following options:
Enable ICMP stateful inspection: Select to enable stateful inspection of ICMP traffic.
The ICMP (pseudo-)stateful mechanism drops incoming unsolicited ICMP packets. For every outgoing ICMP packet, the rule will create or update its ICMP "stateful" table and will then only allow a ICMP response if it occurs within 60 seconds of the request. (ICMP pair types supported: Type 0 & 8, 13 & 14, 15 & 16, 17 & 18.)With stateful ICMP inspection enabled, you can, for example, only allow an ICMP echo-reply in if an echo-request has been sent out. Unrequested echo-replies could be a sign of several kinds of attack including a Smurf amplification attack, a Tribe Flood Network communication between master and daemon, or a Loki 2 back-door.
- Enable ICMP stateful logging: Selecting this option will enable the logging of ICMP stateful inspection events.
You can export all stateful configurations to a .csv or .xml file by clicking Export and selecting the corresponding export action from the list. You can also export specific stateful configurations by first selecting them, clicking Export and then selecting the corresponding export action from the list.
To delete a stateful configuration, right-click the configuration in the Firewall Stateful Configurations list, click Delete and then click OK.
You can see which policies and computers are assigned to a stateful inspection configuration on the Assigned To tab. Click on a policy or computer in the list to see their properties.