Re: stateful inspection

From: Christian Altenbach (altenbach@mediaone.net.invalid)
Date: 12/19/01 

From: "Christian Altenbach" <altenbach@mediaone.net.invalid>
Date: Wed, 19 Dec 2001 17:28:13 GMT

"Erik Basilier" <ebasiliersprint0@earthlink.net> wrote in message
news:9vp54q$7f4$1@slb1.atl.mindspring.net...
> This question will make sense only for readers familiar with "stateful
> inspection"
> as used in Checkpoint Firewall-1.
...
> Does somebody have information
> about what reality is behind Netgear's "stateful inspection"?
>

The RO318 is based on the ZyNOS operating system by ZyXEL, which is probably
the best (stability, flexibility, features) in this market segment.

The RO318 uses a relatively simple ZyNOS stateful firewall implementation
compared to the much more full featured ZyWALL series:
http://www.zyxel.com/product/security/index.htm

If you want to get an idea about the stateful firewall implemented in the
ZyWALL 10, have a look at the manual at
ftp://ftp.zyxel.com/download/public/document/zywall10_v3.50_document_2_3.pdf
(300 pages!). Compare this with the 100 pages of the RO318 manual.

"Keith W. McCammon" <km@km.com> wrote in message
news:9vq82c$groha$1@ID-59806.news.dfncis.de...
> All that stateful inspection entails is the creation of a memory-resident
> table, and as SYN packets arrive, you add new connections to that table.
> Anything else that arrives with SYN/ACK, ACK, FIN, or RST must match an
> existing connection in the state table to be passed.

While Keith is partially right about keeping connection state, there is much
more to it. For example in many cases the packet payload is inspected (e.g.
SMPT traffic is scanned for SMTP commands considered safe and the connection
is dropped if anything else is tried). Certain dangerous Type/Code
combinations in ICMP are blocked. etc.etc.

    Cheers
    C.

Relevant Pages

  • Re: Kerio PFW 2.14 - Safe?
    ... If Kerio 2.14/5 states it's stateful, ... inspection is a type of inspection... ... the rules set the firewall applies. ...
    (comp.security.firewalls)
  • Re: [fw-wiz] Firewalls that generate new packets..
    ... behind the firewall then it's a layer-7 problem for the service ... regexp match causes packet drop ... is exactly why I used the term "placebo" for "stateful ... inspection"; accupuncture patients report the same degree ...
    (Firewall-Wizards)
  • Re: Firewall rules that discriminate by connection duration
    ... Stateful inspection associates a single ... > timeout with each connection. ... The timeout is reset when a valid ...
    (FreeBSD-Security)
  • Re: statefull inspection FW and hackers
    ... various connections from rogue unwanted packets. ... I remember when Checkpoint used "Stateful Inspection" as a marketing ... term and claimed to be the company with the only commercial firewall ...
    (Security-Basics)
  • Re: [fw-wiz] Evolution of Firewalls
    ... Stateful inspection, deep packet inspection, application protection, ... headers and application data streams for attacks and blocking them. ... Our team is currently debating if Stateful Deep Inspection firewall ...
    (Firewall-Wizards)