Firewall Wizards mailing list archives
Re: CERT vulnerability note VU# 539363
From: Paul Robertson <proberts () patriot net>
Date: Wed, 16 Oct 2002 12:18:03 -0400 (EDT)
On 16 Oct 2002, Frank Knobbe wrote:
Not for inbound connections, but doesn't a stateful firewall prevent non-legit outbound connections? If the firewall protecting a web server
Not really...
were stateless (read packet filter), the web server could establish connections to the outside with a source port of 80, and a backdoor would be able to connect to its master. However, if state is kept, and only inbound connections to port 80 are allowed, then the backdoor can not establish a connection to the outside using source port 80.
Outbound non-ack packets would stop this for a Web server, and if the trojan is able to bind() to port 80 and service inbound requests (not that it's not possible) without fooling the HTTP daemon, then methinks filtering is the least of your problems.
To me it seems that stateless access control only protects my side from incoming traffic, but I also want to enforce access control on outbound traffic. In order to distinquish between a valid response, and a new connection, isn't state helpful?
It can be, but potentially it can be a problem too- state tables can fill up, where a stateless filter doesn't have that issue.
I understand that I could filter any packets from the web server (in above example) by denying packets with SYN flag set, so maybe above rant is only valid for UDP. But in general I believe state is useful in access control. Or am I way off?
I find it slightly useful for UDP, but overall think the added complexity doesn't bring much in the way of protection if you carefully design your architecture. The performance information that this thread has started IS interesting, and it's started me wondering about the whole "filter on a router vs. firewall" thing again. Thanks, Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions proberts () patriot net which may have no basis whatsoever in fact." probertson () trusecure com Director of Risk Assessment TruSecure Corporation _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: CERT vulnerability note VU# 539363, (continued)
- RE: CERT vulnerability note VU# 539363 R. DuFresne (Oct 16)
- RE: CERT vulnerability note VU# 539363 Stephen Gill (Oct 16)
- RE: CERT vulnerability note VU# 539363 Ofir Arkin (Oct 16)
- RE: CERT vulnerability note VU# 539363 Stephen Gill (Oct 16)
- Re: CERT vulnerability note VU# 539363 Paul D. Robertson (Oct 16)
- Re: CERT vulnerability note VU# 539363 R. DuFresne (Oct 16)
- Re: CERT vulnerability note VU# 539363 Daniel Hartmeier (Oct 16)
- Re: CERT vulnerability note VU# 539363 Paul D. Robertson (Oct 16)
- RE: CERT vulnerability note VU# 539363 Stephen Gill (Oct 16)
- Re: CERT vulnerability note VU# 539363 Frank Knobbe (Oct 16)
- Re: CERT vulnerability note VU# 539363 Paul Robertson (Oct 16)
- Re: CERT vulnerability note VU# 539363 Mikael Olsson (Oct 16)
- RE: CERT vulnerability note VU# 539363 Philip J. Koenig (Oct 16)
- RE: CERT vulnerability note VU# 539363 Stephen Gill (Oct 17)