Re: Firewalls that generate new packets..

["Marcus J. Ranum" <mjr () ranum com>]

Paul Melson wrote:
> State tables allow your firewall to have a deny-all
> default inbound policy and an allow-all default outbound policy.

Thanks for playing. A router with "established" SYN/ACK
filtering gives you exactly the same thing, with basically
the same degree of assurance.

If all you're doing is setting up a "one way mirror" style policy
it's a no-brainer. If you're allowing incoming traffic to targets
behind the firewall then it's a layer-7 problem for the service
on the target - unless the firewall is doing some additional
layer-7 security. (hint: regexp match causes packet drop
is "deep packet inspection")

What I'm trying to get people to understand is that there are
these cool sounding marketing terms like "stateful" and
"deep packet" which, when you look under the covers,
are basically not doing a whole lot. Yet, because they
have been so effectively marketed, they have been accepted
as terms of art without any examination at all. Kind of like
the way "alternative medicine" has been accepted as
"medicine" without passing the all-important stage at
which it has to prove it actually does something. That
is exactly why I used the term "placebo" for "stateful
inspection"; accupuncture patients report the same degree
of improvement in controlled studies as patients that
receive fake accupuncture. If a network protected by a
correctly configured router+ACLs and layer-7 controls
is just as safe as a network protected by a correctly
configured "stateful inspection" firewall and layer-7
controls then what does that tell you?

In a "stateful" firewall the state is all held in the firewall,
but in a router+ACLs relying on TCP SYN/ACK semantics
the state is held in the endpoint/target's IP stack. What
happens if I send a packet to a target that has ACK
set but that is not part of a TCP stream that has been
established in the target's IP stack? Compare and contrast
this with what happens if I send a packet toward a "stateful"
firewall that is not part of an established stream. Second
question: what does the "stateful" firewall do if the
un-established packet (i.e.: not associated with a known
stream) comes at it from the "authorized" side of the network
or interface or IP range?

By exploring questions like these, we can realize what a
"stateful inspection" firewall actually does. I don't expect to
change anyone's mind on this topic. After all, homeopathy,
accupuncture, chiropractic, energy therapy, etc - have been
revealed as placebos for decades, yet huge amounts of
money are still spent on them because anecdotal evidence
carries a great deal of weight in human affairs. After all, who
has done side-by-side comparisons between "stateful inspection"
firewalls an just a plain old router? Everyone always does
side-by-side comparisons between various brands of firewalls -
and all they can think of to measure is performance. Doesn't
that tell you something? If you have a device that purports
to do security, and you can't measure anything about its
purported security properties, shouldn't that peg your
skeptico-meter?

Last topic: "inspection"  The term "inspection" has been
successfully glued onto these devices by marketing
weasels for over a decade. Can anyone tell me what
"inspection" is going on? What is inspected, and how, and
what decisions are made as a result of that inspection?

I can easily enumerate the "inspection" done by early
Checkpoint firewalls. It was "inspecting" the FTP command
stream for lines beginning with "PORT...." and dynamically
opening a return-hole rule for the ( source, destination ) pair.

mjr. 

_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards