Re: [fw-wiz] Firewalls that generate new packets..
- From: Darren Reed <darrenr@xxxxxxxxxxxxxxxxx>
- Date: Wed, 28 Nov 2007 11:16:50 -0800
Darden, Patrick S. wrote:
Marcus J. Ranum
...
The hard thing I had to wrap my brain around was the
observation that between a router+ACLs combined
with the state that is held in the TCP stack of the
target, you've got exactly the same thing (and often
quite a bit better!) than a "stateful" firewall.
I respecfully disagree for all the reasons I have outlined
before.... Sum: tcp sequence #s make a difference.
So long as you mean "tcp sequence#s" to mean modelling the entire
TCP connection state, yes. The implication that you're missing is that
the TCP window also needs to be tracked (including whether or not
window scaling is being used), along with which flags appeared at
which sequence numbers so you know what to expect next. e.g
the SYN and FIN flags impact sequence numbers without there being
an explicit change in the headers.
If you go to the extreme of only allowing in sequence TCP packets
and ensure that retransmitted data is always the same as the original,
you could argue that the "stateful inspection" mode here becomes a
layer 5 firewall rather than layer 3 or 4. And that's without a proxy :)
Darren
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
- Follow-Ups:
- Re: [fw-wiz] Firewalls that generate new packets..
- From: Darden, Patrick S.
- Re: [fw-wiz] Firewalls that generate new packets..
- References:
- Re: [fw-wiz] Firewalls that generate new packets..
- From: Darden, Patrick S.
- Re: [fw-wiz] Firewalls that generate new packets..
- Prev by Date: Re: [fw-wiz] Firewalls that generate new packets..
- Next by Date: Re: [fw-wiz] Firewalls that generate new packets..
- Previous by thread: Re: [fw-wiz] Firewalls that generate new packets..
- Next by thread: Re: [fw-wiz] Firewalls that generate new packets..
- Index(es):
Relevant Pages
|
