Product specifications

ManualsBrandsEfficient Networks ManualsComputer equipmentRouter family Command line interface

171

172

173

174

175

176

177

178

179

180

Chapter 5: System Security Efficient Networks

Router family

Technical Reference Guide

Page 5-34 Efficient Networks

Stateful Firewall

The Built-in Firewall Filters consist of a set of rules that are examined each time a

packet is transmitted or received from the public network. It examines the packet’s

header information and matches it against a set of defined rules. If it finds a match,

the corresponding action is performed. If not, the packet is accepted.

The IP filtering firewalls provide an adequate level of security, but is limited in that it

does not look beyond the packet’s header to collect more information and may leave

the firewall vulnerable to attacks. Also, in some cases, it opens a range of port

numbers to allow some protocols to work. For example, the FTP protocol involves an

exchange of port number information between the client and server. Here, the client

would send the server the port number at which the server can connect to the client.

In order for such protocols to work the packet filtering firewalls, a range of ports would

have to be opened and exposed since the firewall would not be aware of exactly

which port number would be used. This type of static protection leaves machines

behind the firewall vulnerable.

The stateful firewall overcomes these limitations by maintaining state information

about each session. The firewall intercepts outgoing packets and gathers enough

information from them (for example IP address information, port number, etc.) and

creates the state information for that session. When an incoming packet is seen, it

checks the packet against the state information it has maintained, and if the packet

belongs to this session, it is accepted. Thus, by tracking and controlling the flow of

information through the firewall, the stateful firewall provides robust security.

Stateful Firewall is a key-enabled feature. The following section applies only to routers

with a valid feature key installed. For more information, see “Key Enabled Features”

on page 4-29.

Firewall Rules

The rules created by the user are sorted into the 'Allow' and 'Deny' lists. While

processing a packet, rules from the Deny list will be applied at first. If the packet

matches an entry on this list, it will get dropped. If not, the packet is compared to the

Allow rules list. If an entry exists here, the packet is accepted. If not, the packet is

dropped.

Rule Creation

This section will discuss creating and modifying firewall rules using the CLI. For rule

creation from the WMI, see “Firewall Rule Configuration page” on page 8-63.

When creating a rule, the basic command structure is

firewall <command> <protocol | application> [parameters]