Re: [fw-wiz] Firewalls that generate new packets..

Marcus J. Ranum wrote:

Darden, Patrick S. wrote:


...

*stateless: i.e. extended ACLs that merely look for syns/acks
or less--e.g. if it has the proper syns/acks let it through.
This is a recipe for DOS disaster of course. Connection
hijacking. You name it. Stateless would not just include
firewalls that only look for proper syns/acks--it would also
include less artful firewalls that don't even do something
that complex.



Let's take MITM and DOS off the table. No firewall will
protect you against either of those.



Understanding what DOS is appears to be a problem for a
*lot* of people. Lots of people seem to fail to understand
what the real problem is - the saturation of your network
(connection) with packets that you don't want anything to
do with at a point at which you've got no control over.

What's more, people seem to think that you can just filter
out DOS attacks. Will someone please give me a cricket
bat (or baseball bat) so I can apply some proper instruction?
*sigh*

As Marcus said, no firewall, be it stateless, stateful, proxy,
or otherwise can help you against DOS.


...

*virtual stateful: keep a matrix of connections, but do nothing
with tcp sequence #s. This is a little better than the above,
in that improper resets would be ignored (e.g. that Charter
business where they were sending resets back to p2p clients).



What is an improper reset? Is that an out-of-sequence reset?
...



Marcus, don't you find it funny that people are coming up
with new terms to describe technology that is even more
lame than what has been available via open source for more
than 10 years now?


Stream inspection (deep packet inspection) would be even better.



Is "deep packet inspection" stream inspection?
...
What I'm getting at is that the industry was sold a gigantic
bill of goods (or load of bull, depending on your preferred
metaphor) in the form of "stateful inspection" and is
re-subscribing for another load called "deep packet inspection."

Put another way:
"Where's the 'deep'?"



I think 'deep' is more of a reference about how far they'd like
you to reach into your pocket - again - so they can get their
product bell curve to turn the right way :-)

...

*stateful with deep packet inspection: a connection matrix
is kept, mindful of sequence #s, checking to make sure that
only proper protocols are allowed, and additionally checking
for application level sanity--e.g. squid, a web application
proxy that allows for various levels of sanity checking on
http commands, can ensure that requests follow RFCs, allows a
lot of custom filtering/sanitizing such as regexp type addons
for getting rid of pop-ups, malware, pushes that might break
cgi boundaries, etc.



Now, you're cooking with gas.



You know for a while, one of my favourite HTTP commands
to a proxy was "CONNECT". telnet straight through
someone's firewall that was HTTP only ;-)

I forget how it went, but something like this:
CONNECT http://12.34.56.78:23 HTTP/1.0

and sometime later, I'd happily see this:

SunOS foo
login:

Of course now people restrict CONNECT to the more usual
ports, such as 443 but since 443 is normally encrypted, it
is uncommon for any content filtering to be applied to it...

Does your ssh server /also/ run on port 443? ;)


...

Is it possible that a "firewall" is largely "a router
with a sticker on it that says 'firewall'?"



The ADSL+router+NAT+Firewall you buy from Safeway at
$29.95 probably is just that :-)


...
Unless it's doing a lot of useful "deep" stuff at
layer-7, I'd say that might be the situation.

The question I want you all to start asking is:
"What's 'deep' about that?"



I first heard the term "deep packet inspection" around 5 years
ago and nothing I've seen or heard since then has convinced me
that it is anything other than a marketting term, used by people
trying to sell _something_ (be it themselves, their ideas or products)
that you'd otherwise not think twice about.

And it is the lack of definition about what "deep packet inspection"
is that continues to make it sound good. Nobody appears to have a
precise definition, so everyone can claim it (for different reasons.)

I mean, would you buy a firewall that did stateful filtering, proxying
or deep packet inspection? I mean, what sounds sexier?

Darren

_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

Relevant Pages

  • Re: Ports that are open on a Server
    ... The server is not an internet server, ... mail server already behind a firewall. ... The DoS that I ...
    (microsoft.public.win2000.security)
  • Re: CA vs. Symantec vs. Microsoft
    ... Microsoft can release antispyware for the cooperation and power ... I am disappointed that XP has a poor legacy substitute DOS shell ... :> You do not use a firewall and so you must be playing with fire. ...
    (microsoft.public.windowsxp.general)
  • Re: Stand alone linux webserver security tuning
    ... You don't really need a firewall on a standalone webserver. ... only very few DoS types you can handle on the host itself (syn floods ... $IPT -P OUTPUT ACCEPT ...
    (Security-Basics)
  • Re: CA vs. Symantec vs. Microsoft
    ... We are moving away from DOS.. ... the Microsoft antispyware does show promise but we ... > wheras 98SE has true MS-DOS but still lacks some DOS commands as PCR has ... >:> You do not use a firewall and so you must be playing with fire. ...
    (microsoft.public.windowsxp.general)
  • Re: Firewall and Win2k
    ... Agnitum Outpost does a great job blocking DoS attacks. ... >> I'm using Tiny Firewall, ... >of them protect against DoS. ...
    (microsoft.public.win2000.security)