Security Basics mailing list archives

Re: statefull inspection FW and hackers

From: Adriel Desautels <adriel () netragard com>
Date: Wed, 20 Aug 2008 16:31:39 -0400

My two cents:

Stateful Packet Inspection ("SPI") firewalls maintain (or keep) the
state of network connections passing through them. "Keeping the state"
enables the firewalls to accurately distinguish legitimate packets for
various connections from rogue unwanted packets. While the legitimate
packets are allowed, the rogue packets are rejected.

I remember when Checkpoint used "Stateful Inspection" as a marketing
term and claimed to be the company with the only commercial firewall
with the stateful inspection capability. In my opinion stateful
inspection doesn't provide much of a security benefit when weighed
against today's attack methodologies, but it does do what it was
designed to do very well.


Regards,
        Adriel T. Desautels
        Chief Technology Officer
        Netragard, LLC.
        Office : 617-934-0269
        Mobile : 617-633-3821
        http://www.linkedin.com/pub/1/118/a45

        Join the Netragard, LLC. Linked In Group:
        http://www.linkedin.com/e/gis/48683/0B98E1705142

---------------------------------------------------------------
Netragard, LLC - http://www.netragard.com  -  "We make IT Safe"
Penetration Testing, Vulnerability Assessments, Website Security

Netragard Whitepaper Downloads:
-------------------------------
Choosing the right provider : http://tinyurl.com/2ahk3j
Three Things you must know  : http://tinyurl.com/26pjsn


Andrea Gatta wrote:

Hi Juan,
a stateful inspection firewall can greatly improve the security of
your perimeter even in case of a port scan. Think about the following
scenario: an attacker is trying to "fly under the radar" using common
scanning techniques, let's say using a FYN scan. In that case a static
packet filter will not see and - most important - LOG such activity.
So you won't be aware a reconnaissance is taking place.

On the other hand, a stateful inspection firewall - and I mean with
that expression a device that has the concept of 'session' and at the
same time is capable to work both on the header and the payload -
might help preventing attacks even on open and exposed applications.
An example of that is an IPS which is nothing more than a stateful
inspection firewall which uses signatures to patter match stuff
happening on the wire.

Another thing I have learned is that what stateful really means can
change from vendor to vendor. So one good point would be to clearly
understand if we are talking about stateful packet filtering and/or
stateful inspection. They are not clearly the same thing.

Hope that helps.

Andrea
On Wed, Aug 20, 2008 at 7:04 AM, Juan B <juanbabi () yahoo com> wrote:


Hi,

Can someone please explain why statefull  inspection Fw helps against hackers? I know that those FW keep track of 
the sessions but I dont understand how the feature might help against a port scan from the internet or other ways to 
mitigate hackers attacks.

Thanks

Juan

Current thread:

statefull inspection FW and hackers Juan B (Aug 20)
- Re: statefull inspection FW and hackers Adam Mooz (Aug 20)
- Re: statefull inspection FW and hackers Roman Fulop (Aug 20)
- RE: statefull inspection FW and hackers David Gillett (Aug 20)
  - Re: statefull inspection FW and hackers Andrea Gatta (Aug 21)
    - Re: statefull inspection FW and hackers ॐ aditya mukadam ॐ (Aug 25)
- Re: statefull inspection FW and hackers Andrea Gatta (Aug 20)
  - Re: statefull inspection FW and hackers Adriel Desautels (Aug 20)
- <Possible follow-ups>
- Re: statefull inspection FW and hackers aditya . mukadam (Aug 25)