Stateful Inspection Technology
Security Requirements
In order to provide robust security, a firewall
must track and control the flow of communication
TECH passing through it. To reach control decisions for
NOTE
NOTE
TCP/IP based services (e.g., whether to accept,
reject, authenticate, encrypt and/or log communica-
tion attempts), a firewall must obtain, store, retrieve
and manipulate information derived from all
communication layers and from other applications.
It is not sufficient to examine packets in isolation.
State information—derived from past communica-
tions and other applications—is an essential factor
in making the control decision for new communica-
tion attempts. Depending upon the communication
attempt, both the communication state (derived
from past communications) and the application
state (derived from other applications) may be
critical in the control decision.
Thus, to ensure the highest level of security, a
firewall must be capable of accessing, analyzing
and utilizing the following:
• Communication Information
Information from all seven layers in the packet
• Communication-derived State
The state derived from previous communications.
For example, the outgoing PORT command of an
FTP session could be saved so that an incoming
FTP data connection can be verified against it.
• Application-derived State
The state information derived from other appli-
cations. For example, a previously authenticated
user would be allowed access through the firewall
for authorized services only.
• Information Manipulation
The ability to perform logical or arithmetic
functions on data in any part of the packet
Stateful Inspection Technology
Stateful Inspection, invented by Check Point
Software Technologies, has emerged as the industry
standard for enterprise-class network security
solutions. Stateful Inspection is able to meet all the
security requirements defined above while tradi-
tional firewall technologies, such as packet filters
and application-layer gateways, each fall short in
some areas. (See Table 1.)
With Stateful Inspection, packets are intercepted at
the network layer for best performance (as in packet
filters), but then data derived from all communica-
tion layers is accessed and analyzed for improved
security (compared to layers 4–7 in application-layer
gateways). Stateful Inspection then introduces a
higher level of security by incorporating communi-
cation- and application-derived state and context
information which is stored and updated dynamically.
This provides cumulative data against which subse-
quent communication attempts can be evaluated. It
also delivers the ability to create virtual session infor-
mation for tracking connectionless protocols (e.g.
RPC and UDP-based applications), something no
other firewall technology can accomplish.
Check Point FireWall-1:
Extensible Stateful Inspection
Check Point FireWall-1’s Stateful Inspection archi-
tecture utilizes a unique, patented INSPECT Engine
which enforces the security policy on the gateway
on which it resides. The INSPECT Engine looks at
all communication layers and extracts only the
relevant data, enabling highly efficient operation,
support for a large number of protocols and appli-
cations, and easy extensibility to new applications
and services.
The INSPECT Engine is programmable using Check
Point’s powerful INSPECT Language. This provides
important system extensibility, allowing Check
Point, as well as its technology partners and end-
users, to incorporate new applications, services, and
protocols, without requiring new software to be
INSPECT Virtual Machine
FireWall-1’s patented INSPECT Virtual Machine intercepts,
analyzes, and takes action on all communications
before they enter the operating system of the gateway
machine, ensuring the full security and integrity of
the network. Cumulative data from the communication
and application states, network configuration and
security rules are used to enforce the enterprise
security policy.
INSPECT
Virtual Machine
Server
Dynamic State
Tables
loaded. For most new applications, including most
custom applications developed by end users, the
communication-related behavior of the new appli-
cation can be incorporated simply by modifying
one of FireWall-1’s built-in script templates via the
graphical user interface. Even the most complex
applications can be added quickly and easily via the
INSPECT Language. Check Point provides an open
application programming interface (API) for third-
party developers and regularly posts INSPECT
Scripts to support new applications on the Check
Point Web site at http://www.checkpoint.com.
The INSPECT™ Engine
When installed on a gateway, the FireWall-1
INSPECT Engine controls traffic passing between
networks. The INSPECT Engine is dynamically
loaded into the operating system kernel, between
Client
on
Applicatition
Presesnstaion
Se
Transport
Network
ink
Data Lca
Physi l
Security Policy
Rule Base
 Table1: Comparison of Firewall Technologies
Firewall Capability Packet Filters
Communication Information Partial
Communication-derived State No
Application-derived State No
Information Manipulation Partial
the Data Link and the Network layers (layers 2 and
3). Since the data link is the actual network
interface card (NIC) and the network link is the first
layer of the protocol stack (for example, IP),
FireWall-1 is positioned at the lowest software
layer. By inspecting at this layer, FireWall-1 ensures
that the INSPECT Engine intercepts and inspects
all inbound and outbound packets on all interfaces.
No packet is processed by any of the higher
protocol stack layers, no matter what protocol or
application the packet uses, unless the INSPECT
Engine first verifies that the packet complies with
the security policy.
Because the INSPECT Engine has access to the ‘raw
message’, it can inspect all the information in the
message, including information relating to all the
higher communication layers, as well as the
message data itself (the communication- and appli-
cation-derived state and context). The INSPECT
Engine examines IP addresses, port numbers, and
any other information required in order to
determine whether packets should be accepted, in
accordance with the defined security policy.
FireWall-1’s INSPECT Engine understands the
internal structures of the IP protocol family and
applications built on top of them. For stateless
protocols such as UDP and RPC, the INSPECT
Engine creates and stores context data, maintaining
a virtual connection on top of the UDP communica-
tion. The INSPECT Engine is able to extract data
Application-layer Gateways Stateful Inspection
Partial Yes
Partial Yes
Yes Yes
Yes Yes
from the packet’s application content and store it to
provide context in those cases where the applica-
tion does not provide it. Moreover, the INSPECT
Engine is able to dynamically allow and disallow
connections as necessary. These dynamic capabili-
ties are designed to provide the highest level of
security for complex protocols, but the user may
disable them if they are not required.
The INSPECT Engine’s ability to look inside a
packet enables it to allow certain commands within
an application while disallowing others. For
example, the INSPECT Engine can allow an ICMP
ping while disallowing redirects, or allow SNMP
gets while disallowing sets, and so on. The INSPECT
Engine can store and retrieve values in tables
(providing dynamic context) and perform logical or
arithmetic operations on data in any part of the
packet. In addition to the operations compiled from
the security policy, the user can write his or her
own expressions.
 Stateful Inspection vs.
Traditional Firewall Architectures

Firewall Technologies

Packet Packet filters, historically implemented

on routers, filter on user defined content,
Filters such as IP addresses. They examine a
packet at the network layer and are Application Application
application independent, which allows Presentation Presentation
them to deliver good performance and Session Session
scalability. They are the least secure type Transport Transport
of firewall, however. The reason is that Network Network
they are not application aware—that is, Data Link Data Link Data Link
they cannot understand the context of Physical Physical Physical
a given communication, making them R O U T E R

easier for hackers to break. PR OS C ON S

• Application Independence • Low Security
• High Performance • No Screening Above
• Scalability Network Layer (No 'state' or
application-context information)

Application- Application gateways improve on

security by examining all application
Layer layers, bringing context information into Telnet FTP HTTP

Gateways the decision process. However, they do

this by breaking the client/server model.
Application Application Application
Presentation Presentation Presentation
Every client/server communication Session Session Session
requires two connections: one from Transport Transport Transport
the client to the firewall and one from Network Network Network
the firewall to the server. In addition, Data Link Data Link Data Link
each proxy requires a different Physical Physical Physical
application process, or daemon, A P P L I C A T I O N G A T E W A Y

making scalability and support for PR OS C ON S

• Good Security • Poor Performance
new applications a problem. • Full Application-layer • Limited Application Support
Awareness • Poor Scalability
(Breaks client/server model)

Stateful Check Point FireWall-1’s Stateful

Inspection overcomes the limitations of
Inspection the previous two approaches by providing Application
Presentation
full application-layer awareness without Application Application
Presentation Session Presentation
breaking the client/server model. With
Session Transport Session
Stateful Inspection, the packet is
Transport Network Transport
intercepted at the network layer, but
Network Network
then the INSPECT Engine takes over.
Data Link Data Link Data Link
It extracts state-related information
Physical Physical Physical
required for the security decision from
I N S P E C T E N G I N E
PR OS
all application layers and maintains • Good Security
this information in dynamic state tables • Full Application-layer Awareness
for evaluating subsequent connection • High Performance Dynamic
• Extensibility State Tables
attempts. This provides a solution which • Scalability
is highly secure and offers maximum • Transparency
performance, scalability, and extensibility.
FTP Examples

Packet filters have two choices with

regard to outbound FTP connections. They Entire Range
can either leave the entire upper range of Upper
Ports Open Holes for
(greater than 1023) of ports open which
Hackers
allows the file transfer session to take
place over the dynamically allocated port,
but exposes the internal network, or they
3
can shut down the entire upper range
of ports to secure the internal network
which blocks other services. This trade-off 2

between application support and security

is not acceptable to users today. 1
Server Client

I P F I L T E R

In using an FTP proxy, the application

gateway duplicates the number of
Application Space
sessions, acting as a proxied broker
between the client and the server.
FTP Daemon
Although this approach overcomes the
limitation of IP filtering by bringing
application-layer awareness to the
decision process, it does so with an
5 6
unacceptable performance penalty.
3 4
In addition, each service needs its own
proxy, so the number of available 2 1
Server Client
services and their scalability is limited. Kernel Space
Finally, this approach exposes the
operating system to external threats. Firewall OS
P R O X Y

Check Point FireWall-1’s Stateful Inspection

tracks the FTP session, examining FTP
application-layer data. When the client
requests that the server generate the back-
connection (an FTP PORT command), FTP

FireWall-1 extracts the port number from the

request. Both client and server IP addresses 3
and both port numbers are recorded in an
FTP-data pending request list. When the FTP
2
data connection is attempted, FireWall-1
examines the list and verifies that the attempt 1
Server Client
is in response to a valid request. The list of
connections is maintained dynamically, so that
only the required FTP ports are opened. As
INSPEC T ENG INE
soon as the session is closed the ports are
locked, ensuring maximum security.
Unlike other security solutions, FireWall-1’s Stateful
Inspection architecture intercepts, analyzes, and
takes action on all communications before they
enter the operating system of the gateway machine,
ensuring the full security and integrity of the
network. Cumulative data from the communication
and application states, network configuration and
security rules, are used to generate an appropriate
action, either accepting, rejecting, authenticating, or
encrypting the communication. Any traffic not
explicitly allowed by the security rules is dropped
by default and real-time security alerts and logs are
generated, providing the system manager with
complete network status.
Broad Application
Support
Check Point FireWall-1’s Stateful Inspection im-
plementation supports hundreds of pre-defined
applications, services, and protocols—more than
any other firewall vendor. Support is provided for
all major Internet services, including secure
Web browsers, the traditional set of Internet appli-
cations (e.g. mail, FTP, Telnet, etc.), the entire TCP
family, and connectionless protocols such as RPC
and UDP-based applications. In addition, only
FireWall-1’s Stateful Inspection offers support for
critical business applications such as Oracle
SQL*Net database access and emerging multimedia
applications such as RealAudio, VDOLive, and
Internet Phone.
Some of the complex protocols uniquely secured by
Check Point FireWall-1’s Stateful Inspection imple-
mentation are described below and in the diagrams
on Pages 4 and 5.
Securing Connectionless
Protocols such as UDP
UDP (User Datagram Protocol)-based applications
(DNS, WAIS, Archie, etc.) are difficult to filter with
simplistic packet-filtering techniques because in
UDP, there is no distinction between a request and a
response. In the past, the choice has been to either
eliminate UDP sessions entirely or to open a large
portion of the UDP range to bi-directional commu-
nication, and thus to expose the internal network.
FireWall-1’s Stateful Inspection implementation
secures UDP-based applications by maintaining a
virtual connection on top of UDP communications.
FireWall-1’s INSPECT Engine maintains state infor-
mation for each session through the gateway. Each
UDP request packet permitted to cross the firewall is
recorded, and UDP packets traveling in the opposite
direction are verified against the list of pending
sessions to ensure that each UDP packet is in an
authorized context. A packet that is a genuine
response to a request is delivered and all others are
dropped. If a response does not arrive within the
specified time period, the connection times out. In
this way, all attacks are blocked, while UDP appli-
cations can be utilized securely.
 Application Performance
Presentation FTP Telnet SMTP Other The simple and effective design of FireWall-1’s
Session
INSPECT Engine achieves optimum performance
as follows:
Transport TCP UDP
Network IP • Running inside the operating-system kernel im-
poses negligible overhead in processing. No
Data Link
Ethernet FDDI x.25 Other context switching is required, and low-latency
Physical operation is achieved.

TCP/IP services mapped to 7-layer OSI model

• Advanced memory management techniques,
such as caching and hash tables, are used to
Securing Dynamically Allocated unify multiple object instances and to efficiently
access data.
Port Connections such as RPC
Simple tracking of port numbers fails for RPC • Generic and simple inspection mechanisms are
(Remote Procedure Call) because RPC-based services combined with a packet inspection optimizer to
(NFS, NIS) do not use pre-defined port numbers. ensure optimal utilization of modern CPU and
Port allocation is dynamic and often changes over OS designs.
time. FireWall-1’s INSPECT Engine dynamically and
transparently tracks RPC port numbers using the Independent test results indicate that FireWall-1
port mappers in the system. The INSPECT Engine imposes negligible performance degradation on
tracks initial portmapper requests and maintains a network traffic and can support data throughput
cache that maps RPC program numbers to their rates exceeding 100 Mbps. In addition, the platform
associated port numbers and servers. Whenever the flexibility of FireWall-1 enables customers to scale
INSPECT Engine examines a rule in which an RPC- their security infrastructure to meet the increasing
based service is involved, it consults the cache, demands of enterprise networks.
comparing the port numbers in the packet and
cache and verifying that the program number
bound to the port is the one specified in the rule. If
the port number in the packet is not in the cache
(this can occur when an application relies on prior
knowledge of port numbers and initiates communi-
cation without first issuing a portmapper request)
the INSPECT Engine issues its own request to
portmapper and verifies the program number found
to the port.
 How to Contact Us

For product information, visit us at

http://www.checkpoint.com.

Check Point Software Technologies, Inc.

Three Lagoon Drive, Suite 400
Redwood City, CA 94063

Check Point Software Technologies Ltd.

3A Jabotinsky Street, 24th Floor
Ramat-Gan 52520, Israel

©1999 Check Point Software Technologies Ltd. All rights reserved.

Check Point, the Check Point logo, FireWall-1, FloodGate-1, INSPECT,
IQ Engine, Meta IP, Open Security Extension, OPSEC, Provider-1, User-to-
Address Mapping, VPN-1, VPN-1 Accelerator Card, VPN-1 Appliance,
VPN-1 Certificate Manager, VPN-1 Gateway, VPN-1 SecuRemote, and
ConnectControl are trademarks or registered trademarks of Check Point
Software Technologies Ltd. or its affiliates. All other product names
mentioned herein are trademarks or registered trademarks of their
respective owners. The products described in this document are protected
by U.S. Patent No. 5,606,668 and 5,835,726 and may be protected by
other U.S. Patents, foreign patents, or pending applications.

P/N 30202200100