Security Basics mailing list archives
Re: statefull inspection FW and hackers
From: Roman Fulop <ml () ensof1 trithem sk>
Date: Wed, 20 Aug 2008 18:11:04 +0200
Hi, I my opinion, general answer would be that it helps, because stateful filter could determine the allowed traffic more precisely. More specifically, just some quick thoughts: - you could filter certain port scanning techniques (e.g. ACK), because ACK packets not belonging to any connection would be dropped by filter, even if they had source port of some common service (e.g. 80 and you can't block ACK packets with stateless filter, because they can easily be legitimate response from the server). - some implementations allow state tracking of stateless protocols, like UDP. Then you could for example filter DNS requests to recursive caching name server from outside of the local network, which needs to receive answers from outside servers on port 53. - some implementations even track state of more complex protocols, like FTP, so in case of passive FTP server, you don't need to allow connections to high ports and on the other side, you would not need to allow incoming connections on gateway for active FTP servers. etc. Juan B wrote:
Hi, Can someone please explain why statefull inspection Fw helps against
hackers? I know that those FW keep track of the sessions but I dont understand how the feature might help against a port scan from the internet or other ways to mitigate hackers attacks.
Thanks Juan
Current thread:
- statefull inspection FW and hackers Juan B (Aug 20)
- Re: statefull inspection FW and hackers Adam Mooz (Aug 20)
- Re: statefull inspection FW and hackers Roman Fulop (Aug 20)
- RE: statefull inspection FW and hackers David Gillett (Aug 20)
- Re: statefull inspection FW and hackers Andrea Gatta (Aug 21)
- Re: statefull inspection FW and hackers ॐ aditya mukadam ॐ (Aug 25)
- Re: statefull inspection FW and hackers Andrea Gatta (Aug 21)
- Re: statefull inspection FW and hackers Andrea Gatta (Aug 20)
- Re: statefull inspection FW and hackers Adriel Desautels (Aug 20)
- <Possible follow-ups>
- Re: statefull inspection FW and hackers aditya . mukadam (Aug 25)