Chapter 24 Firewall
The Stateful Inspection Firewall (SIF) provided for bintec elmeg gateways is a powerful se-
curity feature.
The SIF with dynamic packet filtering has a decisive advantage over static packet filtering:
The decision whether or not to send a packet cannot be made solely on the basis of source
and destination addresses or ports but also using dynamic packet filtering based on the
state of the connection to a partner.
This means packets that belong to an already active connection can also be forwarded.
The SIF also accepts packets that belong to an "affiliated connection". The negotiation of
an FTP connection takes place over port 21, for example, but the actual data exchange can
take place over a completely different port.
SIF and other security features
The Stateful Inspection Firewall fits into the existing security architecture of bintec elmeg.
The configuration work for the SIF is comparatively straightforward with systems like Net-
work Address Translation (NAT) and IP Access Lists (IPAL).
As SIF, NAT and IPAL are active in the system simultaneously, attention must be given to
possible interaction: If any packet is rejected by one of the security instances, this is done
immediately. This is irrelevant whether another instance would accept it or not. Your need
for security features should therefore be accurately analysed.
The essential difference between SIF and NAT/IPAL is that the rules for the SIF are gener-
ally applied globally, i.e. not restricted to one interface.
In principle, the same filter criteria are applied to the data traffic as those used in NAT and
IPAL:
• Source and destination address of the packet (with an associated netmask)
• Service (preconfigured, e.g. Echo, FTP, HTTP)
• Protocol
• Port number(s)
To illustrate the differences in packet filtering, a list of the individual security instances and
their method of operation is given below.
NAT
bintec elmeg GmbH
24 Firewall
elmeg hybird 120 / hybird 130
523