1.3.6 Implement stateful inspection,
also known as dynamic packet
filtering. (That is, only “established”
connections are allowed into the
network.)
1.3.6 Examine firewall and router configurations to verify that
the firewall performs stateful inspection (dynamic packet
filtering). (Only established connections should be allowed in,
and only if they are associated with a previously established
session.)
A firewall that performs stateful packet inspection
maintains the “state” (or the status) for each
connection through the firewall. By maintaining
the “state,” the firewall knows whether an
apparent response to a previous connection is
actually a valid, authorized response (since it
retains each connection’s status) or is malicious
traffic trying to trick the firewall into allowing the
connection.