Re: [fw-wiz] Firewalls that generate new packets..



On Nov 13, 2007 10:58 PM, Kelly Robinson <caliana1989@xxxxxxxxx> wrote:
Some firewalls, after receiving a packet, generate a new packet and populate
it with data from the original, rather than forwarding the same packet that
was received. What are the advantages and disadvantages of this approach?
And does anyone have any examples of any firewalls that do this on the
market?


Your first statement is a bit ambiguous. Are you talking specifically
about IP reassembly? Because in a sense, any packet that has
undergone NAT translation is a "new" packet because it has changed
(albeit just 2-3 fields of the IP header) from the time it arrived to
the time it was forwarded on.

So the upside to firewalls that do IP reassembly (like iptables, pf,
and most of the commercial "stateful firewall" products) as well as
proxy firewalls is that they serve to normalize traffic to one degree
or another. They reduce the amount of control an external attacker
has over the packets that are passed to your network through the
firewall.

The downside is that this can break crappy protocols (or even normal
protocols in the case of a misconfigured firewall).

PaulM
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards



Relevant Pages

  • Re: [fw-wiz] Firewall rules order and performance
    ... Some firewalls no longer parse the configuration ... New connections / s is generally limited by ruleset size and complexity. ... As I recall, several years ago Lucent had an Oalgorithm for packet filtering on some of their high end routers that leveraged some tricky algebra, but it was limited to 256 not very complex rules. ... This is why every vendor specifies throughput based on large packets - ask them for 64-byte packet throughput and watch them squirm. ...
    (Firewall-Wizards)
  • Re: Firewall for win95?
    ... :they must provide to secret service and law ... windows firewalls. ... packet against a particular firewall rule configured by the user. ... a 'back door'): when you are using a firewall ...
    (comp.security.misc)
  • Re: Firewall for win95?
    ... :they must provide to secret service and law ... windows firewalls. ... packet against a particular firewall rule configured by the user. ... a 'back door'): when you are using a firewall ...
    (comp.security.firewalls)
  • Re: NAT is not a mechanism for securing a network.. but.. HELP!
    ... a spoofed packet, which seems to come from inside, and sniff inside, if the ... a NAT router can provide good security ... > between NAT routers and firewalls. ... The rest of the features of the "Personal Firewalls" ...
    (comp.security.firewalls)
  • Re: [fw-wiz] Firewalls that generate new packets..
    ... it with data from the original, rather than forwarding the same packet that ... What are the advantages and disadvantages of this approach? ... And does anyone have any examples of any firewalls that do this on the ... The packet may not be an entirely faithful ...
    (Firewall-Wizards)