Chapter 19 Firewall
The Stateful Inspection Firewall (SIF) provided for bintec gateways is a powerful security
feature.
The SIF with dynamic packet filtering has a decisive advantage over static packet filtering:
The decision whether or not to send a packet cannot be made solely on the basis of source
and destination addresses or ports but also using dynamic packet filtering based on the
state of the connection to a partner.
This means packets that belong to an already active connection can also be forwarded.
The SIF also accepts packets that belong to an "affiliated connection". The negotiation of
an FTP connection takes place over port 21, for example, but the actual data exchange can
take place over a completely different port.
SIF and other security features
bintec’s Stateful Inspection Firewall fits into the existing security architecture of bintec
device very well due to its simple configuration. The configuration work for the SIF is com-
paratively straightforward with systems like Network Address Translation (NAT) and IP Ac-
cess Lists (IPAL).
As SIF, NAT and IPAL are active in the system simultaneously, attention must be given to
possible interaction: If any packet is rejected by one of the security instances, this is done
immediately. This is irrelevant whether another instance would accept it or not. Your need
for security features should therefore be accurately analysed.
The essential difference between SIF and NAT/IPAL is that the rules for the SIF are gener-
ally applied globally, i.e. not restricted to one interface.
In principle, the same filter criteria are applied to the data traffic as those used in NAT and
IPAL:
• Source and destination address of the packet (with an associated netmask)
• Service (preconfigured, e.g. Echo, FTP, HTTP)
• Protocol
• Port number(s)
To illustrate the differences in packet filtering, a list of the individual security instances and
their method of operation is given below:
19 Firewall
Funkwerk Enterprise Communications GmbH
366
bintec Rxxx2/RTxxx2