beautypg.com

Stateful packet inspection – Zilog EZ80F91GA User Manual

Page 36

background image

ZGATE Packet Filtering

UM024502-1012

24

ZGATE Embedded Security Development Kit
User Manual

while TCP Port numbers are configured for whitelist filtering. If static filtering of any par-
ticular criterion is not required, the filter can be independently disabled.

Static filtering, also called rules-based filtering, uses a filtering engine to evaluate each
packet against configured rules or policies. Rules specify the filtering mode (whitelist,
blacklist or disabled), the filtering field (IP address, protocol number, port value, etc.), and
the values to be matched.

A whitelist is a list of allowed values. If a packet is received and the value is in the list, it
is allowed. If not, it is blocked. A blacklist is the opposite: any values on the list are
blocked and all other values are allowed.

For example, consider the following rule set:

Rule 1, WHITELIST, IP source address, {201.87.53.10, 207.87.53.11, 201.87.53.12}

Rule 2, WHITELIST, IP protocol, {1,2,6,17}

Rule 3, BLACKLIST, UDP destination port, {600–799}

Rule 4, BLACKLIST, TCP destination port, {600–799}

When a packet is received, the filtering engine first checks Rule 1. If the source IP address
is not in a range of 201.87.53.10–201.87.53.12, the firewall blocks the packet. Otherwise,
the filtering engine proceeds to the next rule.

The second rule specifies that IP protocols ICMP, IGMP, TCP and UDP (protocol numbers
1, 2, 6 and 17) are allowed. Packets received with any other protocol value are blocked,
even those from a whitelisted IP address. The third and fourth rules specify that UDP and
TCP ports 600–799 are blacklisted. Therefore, received UDP or TCP packets that target
these ports are blocked.

Packets must pass all criteria or they will be blocked from reaching ZTP.

Stateful Packet Inspection

Stateful Packet Inspection (SPI) maintains information about the state of each connection
and uses that information to make filtering decisions. For TCP (a connection-oriented pro-
tocol), the protocol connection state is used. In contrast, for connectionless protocols such
as UDP, the connection state is inferred as either CLOSED or ESTABLISHED based on
how recently a packet was sent or received for a given IP address and UDP port. SPI
requires a state table which is updated as connections are established, proceeds through
the connection states, and is closed. As packets are received, the firewall validates them
based on the current state of the connection, then updates the state table. SPI is protocol-
specific; therefore the SPI engine must implement a state transition and state validation
routine for each supported protocol.

The ZGATE SPI module only supports the TCP and UDP protocols.

See also other documents in the category Zilog Sensors: