Re: [fw-wiz] FW and TCP Sessions
From: Marcus J. Ranum (mjr_at_ranum.com)
Date: 06/01/04
- Previous message: Henning Brauer: "Re: [fw-wiz] FW and TCP Sessions"
- In reply to: Manoj Kumar Neelapareddy: "[fw-wiz] FW and TCP Sessions"
- Next in thread: firewalladmin_at_bellsouth.net: "Re: [fw-wiz] FW and TCP Sessions"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: Manoj Kumar Neelapareddy <manojkreddyutl@yahoo.com>, firewall-wizards@honor.icsalabs.com Date: Tue, 01 Jun 2004 09:22:31 -0400
Manoj Kumar Neelapareddy wrote:
>if a FW is said to be a stateful firewall, then will
>it allow a TCP packet to pass through it(outbound), if
>i haven't sent a TCP SYN to initiate a TCP Session
>before sending this TCP packet?
Manoj, "stateful" is a marketing term, invented by marketers, and
means whatever it means - there's no shared understanding of
what a "stateful" firewall is or does except that "everyone knows
that it's better than just 'packet filtering'"
"Packet filtering" firewalls are ones that process traffic
using header information only, without carrying forward
any context or "state". Note that the "state" that is
carried by TCP itself is almost entirely in the sequence
number and the SYN/ACK flags in the packet. So a
"stateful" firewall *might* do:
- SYN checking
- TCP sequence checking
- firewall-specific internal state tracking; i.e.:
remembering which interface the
SYN packet came in on
- layer 7 protocol positioning
As far as I have ever been able to tell, the first "stateful"
firewalls were hardly more "stateful" than flagging the
interface the SYN packet came in on, and snagging bits
of layer 7 protocol (without addressing fragmentation!)
for some app protocols like FTP.
In every possible sense of the term, proxy firewalls are
"stateful" since they typically are doing TCP and application
termination and that requires doing all the things a stack
would. How "stateful" became equated with "good" when
it's actually a *subset* of what a good firewall does is a
tribute to marketing genius and the customers' desires
to make themselves comfortable with marginal but
attractive technology. New generation "stateful"
firewalls aren't bad at all and many are doing a lot of
layer 7 work and nearly all of TCP processing. I am largely
critical of the early "stateful" firewalls that were little more
than a pimped-up screening router that cost 10X as much.
Nowadays "stateful" firewalls are excellent products that
are almost as good as dumbed-down proxy firewalls.
>I heard that Statefull firewall won't allow any TCP
>packets, other than TCP SYNs to pass through it, if
>there is no session corresponding a TCP packet is
>maintained in FW's session table.
Pretty much, that's it!
That's actually a second generation "stateful" firewall.
1st generation just kept a state table about what
interface the SYN came in on. 2nd generation ones
were "smart" enough to do some TCP sequence-tracking.
Depending on the firewall, it's an open question what
the firewall does when it encounters a packet that
appears to be part of a TCP which it has not seen
the beginning of. Some products are permissive for a
while after they are rebooted and will accept the
traffic. This is a thorny problem and equates to an
acceptance of vulnerability that I'm not comfortable
with.
mjr.
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- Previous message: Henning Brauer: "Re: [fw-wiz] FW and TCP Sessions"
- In reply to: Manoj Kumar Neelapareddy: "[fw-wiz] FW and TCP Sessions"
- Next in thread: firewalladmin_at_bellsouth.net: "Re: [fw-wiz] FW and TCP Sessions"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
