Re: [fw-wiz] What is the difference between stateful packet filtering and Stateful pkt inspection ?

From: Volker Tanger (
Date: 01/31/03

From: Volker Tanger <>
To: anil bindal <>
Date: Fri Jan 31 11:22:53 2003


anil bindal wrote:
> 1) What is the difference between a stateful pkt filter and stateful
> packet inspection ?

> 2) Does any of above two include the payload verificaion and analysis (
> i.e. application level Proxies !)?

Only the "inspection" ones - but inspection quite often is limited (in
most cases to parts of HTTP).

> 3) What does the WG FB 1000 do ? Stateful Pkt Inspection or Stateful Pkt
> filtering ?
> 4) What does the WG V60 do ? SPInspection or SPfiltering ?

Stateful - definitely. And I guess some inspection for HTTP - but
nothing I know of (please correct me) for other protocols.

> 5) Does the Watch Guard http-filter rule does the same processing on the
> packet as the check point or CISCO PIX rule ??

No. CheckPoint and PIX use (transparent) proxies (called "ressource" or
"fixup") when filtering. But CKP has quite some inspection for a number
of other protocols - especially when it comes to RPC handling, I do not
know any product coming near. Again: please correct me, if I missed
something here.

> 6) Lastly is the stateful packet ( filter or inspection whatever the WG
> boxes do ) sufficient from the security point of view ( no application
> level proxies ? )

Depends on the level and quality of inspection - and of the proxy, of
course. In real-world products proxies are usually a bit better/strict
with respect to security (e.g. checking for RFC conformity).

> why all above questions are being asked is bcose i want to decide on
> either FB 1000 or V60. One of them has BW management and other does not
> have the application level proxies ??

The FB1k has (taken from feature-list) only 4 proxies with
data-sanitation: http, ftp, smtp, dns. If you use e.g. an anti-virus
gateway for these, you'll automatically have most of these features on
the AV gateway. OTOH the Vseries generally is faster with respect to VPN
and has QoS-Mgmt.

> What level of security will i compromise if i decide on V60 with BW
> management ??

What do you need the FW for? What is your 2nd/3rd/4th line of defense?


Volker Tanger
IT-Security Consulting

discon gmbh
Wrangelstraße 100
D-10997 Berlin
fon    +49 30 6104-3307
fax    +49 30 6104-3461

Relevant Pages

  • Re: Kerio PFW 2.14 - Safe?
    ... If Kerio 2.14/5 states it's stateful, ... inspection is a type of inspection... ... the rules set the firewall applies. ...
  • Re: nicht erreichbar?
    ... "what is needed is a firewall that does application filtering, which can be regarded as an extension to stateful packet inspection. ... Proxy betrachten. ...
  • Re: statefull inspection FW and hackers
    ... various connections from rogue unwanted packets. ... I remember when Checkpoint used "Stateful Inspection" as a marketing ... term and claimed to be the company with the only commercial firewall ...
  • Re: [fw-wiz] Evolution of Firewalls
    ... proxy does analysis and reconstructs data ... and stateful ispection system can only decide ... stateful inspection system to miss thing that is not known to it or to ... The proxy output stream, not only general ...
  • Re: stateful inspection
    ... > This question will make sense only for readers familiar with "stateful ... > about what reality is behind Netgear's "stateful inspection"? ... The RO318 uses a relatively simple ZyNOS stateful firewall implementation ... While Keith is partially right about keeping connection state, ...