Re: Stateful Inspection

From: Wolfgang Kueter (wolfgang@shconnect.de)
Date: 05/16/02 

From: Wolfgang Kueter <wolfgang@shconnect.de>
Date: Thu, 16 May 2002 02:23:29 +0200

James Grant wrote:

> A stateful firewall can inspect the contents of the packets as well.

Even the marketing buzzwords on your company's website show that you
are wrong.

Cut & Paste quoting http://www.8signs.com/

<quote>
Stateful Packet Inspection
VisNetic Firewall falls into a class of firewalls called Stateful
Inspection Firewalls. Stateful inspection firewalls overcome the
limitations of packet filter firewalls and applicationproxy servers.
They examine more than just the "to" and "from" addresses in the data
packets, and do not require a proxy for every application being
accessed. Stateful inspection firewalls determine whether packets can
get through the firewall based on the protocol, port, and source and
destination addresses.
</quote>

But that is just "To" and "From". What information do you find in the
header of an packet? Source and destination address, protocol, source
port, detination, maybe TCP Flags. Stateful filtering just looks at the
headers.

<quote>
For every request that is allowed by this strategy, stateful inspection
firewalls open up a limited time window to allow response packets, but
ONLY from the same host.
</quote>

This is still layer 3. Nothing about content, just a mechanism to save
information about contacted external hosts and opening a time window
for reply packets. Nothing about content.

<quote>
Also, by maintaining information about previous packets, stateful
inspection firewalls can quickly verify that packets meet the criteria
for authorized traffic, making them inherently fast.
</quote>

Simply wrong, stateful packet filters are slower than non stateful
ones, because the rules change dynamically. Therefore they consume more
memory and CPU time than non stateful packet filters.

Wolfgang 

-- 
A foreign body and a foreign mind,
never welcome in the land of the blind.
Peter Gabriel, Not one of us, 1980

Relevant Pages

  • Re: Stateful Inspection
    ... >> A stateful firewall can inspect the contents of the packets as well. ... > VisNetic Firewall falls into a class of firewalls called Stateful ... Stateful inspection firewalls overcome the ...
    (comp.security.firewalls)
  • Re: Stateful Inspection
    ... >> A stateful firewall can inspect the contents of the packets as well. ... > VisNetic Firewall falls into a class of firewalls called Stateful ... Stateful inspection firewalls overcome the ...
    (comp.security.firewalls)
  • Re: Stateful Inspection
    ... > A stateful firewall can inspect the contents of the packets as well. ... Stateful Packet Inspection ... VisNetic Firewall falls into a class of firewalls called Stateful ... Stateful inspection firewalls overcome the ...
    (comp.security.firewalls)
  • RE: Routers, Switches, and Firewall testing
    ... We have been using the ISIC tool suite. ... random packets of the target protocol. ... specify the source and destination port along with the IP. ... While the test above is not "realistic" as firewalls generally do not recive ...
    (Pen-Test)
  • Re: pppoe, cant ping tun0, ipfnat ftp proxy "doesnt work"
    ... > But I noticed that, although you use ipnat(8), nat is also enabled in your ... especially on the way packets flow through the ... firewalls, so I dropped back and enabled in in ppp. ... Combining stateful rules and dummynet in ipfwwas interesting. ...
    (freebsd-net)