Re: Firewall vs. IPS - Differences now (ISS, Intrushield 2.1?)

[Thomas Ptacek <tqbf () arbor net>]

On Aug 18, 2004, at 2:29 PM, Joel Snyder wrote:
> To get into the firewall sweepstakes, you have to start with stateful 
> packet inspection, not the weak crap you get for free in some freeware 
> firewalls, but something that watches sequence numbers and the *full* 
> TCP state machine, plus options, defragmentation, all that jazz.

A genuine (non-rhetorical) question:

Why do we think this is true?

What are the security benefits of watching sequence numbers, the TCP 
state machines, and options? (Sidenote: someone should do a quick study 
to see how many "stateful firewalls" properly implement TCP PAWS --- 
like every modern OS TCP stack does).

(Also, do all stateful firewalls actually reassemble IP fragments? What 
happens when they encounter asymmetry? Is it enough just to drop 
fragments?)

I'm sure there are lots of good reasons for stateful tracking of 
sessions, but I'd like to hear them stated authoritatively.

(ObDisclaimer: I'm a full-proxy partisan).

---
Thomas H. Ptacek // Product Manager, Arbor Networks
(734) 327-0000


--------------------------------------------------------------------------
FREE Network Security Webinar - How to implement IPSec security into VPN appliances 

New threats and vulnerabilities require new high-performance IPSec VPN solutions for network protection.
Join the security experts from SafeNet on August 26 at 1:00 PM (Eastern), and learn how to successfully integrate IPSec security into VPN processors and appliances to provide powerful yet cost-effective VPN solutions for your customers. 
Register now:

http://www.securityfocus.com/sponsor/SafeNet_focus-ids_040817
--------------------------------------------------------------------------