Packet State and Context Information

To track and act on both state and context information for an application is to treat that traffic statefully. The following are examples of state and context-related information that a firewall should track and analyze:

• Packet-header information (source and destination address, protocol, source and destination port, and packet length)
• Connection state information (which ports are being opened for which connection)
• TCP and IP fragmentation data (including fragments and sequence numbers)
• Packet reassembly, application type, and context verification (to verify that the packet belongs to the communication session)
• Packet arrival and departure interface on the firewall
• Layer 2 information (such as VLAN ID and MAC address)
• Date and time of packet arrival or departure

The ZoneAlarm firewall examines IP addresses, port numbers, and any other information required. It understands the internal structures of the IP protocol family and applications, and is able to extract data from a packet's application content and store it, to provide context in cases where the application does not provide it. The ZoneAlarm firewall also stores and updates the state and context information in dynamic tables, providing cumulative data against which it inspects subsequent communications.