Re: statefull inspection FW and hackers

[Roman Fulop <ml () ensof1 trithem sk>]

Hi,

I my opinion, general answer would be that it helps, because stateful
filter could determine the allowed traffic more precisely. More
specifically, just some quick thoughts:

- you could filter certain port scanning techniques (e.g. ACK), because
ACK packets not belonging to any connection would be dropped by filter,
even if they had source port of some common service (e.g. 80 and you
can't block ACK packets with stateless filter, because they can easily
be legitimate response from the server).

- some implementations allow state tracking of stateless protocols, like
UDP. Then you could for example filter DNS requests to recursive caching
name server from outside of the local network, which needs to receive
answers from outside servers on port 53.

- some implementations even track state of more complex protocols, like
FTP, so in case of passive FTP server, you don't need to allow
connections to high ports and on the other side, you would not need to
allow incoming connections on gateway for active FTP servers.

etc.


Juan B wrote:
> Hi,
>
> Can someone please explain why statefull  inspection Fw helps against
hackers? I know that those FW keep track of the sessions but I dont
understand how the feature might help against a port scan from the
internet or other ways to mitigate hackers attacks.
> Thanks
>
> Juan