RE: Term Explanation

[Ben Nagy <bnagy () cpms com au>]

> -----Original Message-----
> From: jmfreema () cscploenzke de [mailto:jmfreema () cscploenzke de]
> Sent: Tuesday, 8 February 2000 7:27 PM
> To: firewall-wizards () nfr net
> Subject: Term Explanation
>
>
> I've been seeing a lot of information of various firewall 
> products, and require
> a bit of help from the people that know.  Can someone give me a brief
> explanation of the following:

No. Well, not brief, anyway.

>    dynamic packet filtering

OK. You know what packet filtering is, right? Well, if you just write down a
heap of filtering rules and stick them in a router, they won't ever change -
they're _static_.

As one might assume, _dynamic_ packet filters change. Dynamically. Exactly
how they change is implementation dependant, but you could reasonably use
this term any time you have a set of filtering rules that changes in a
reactive manner. 

One example: a host on the inside of the network sends a UDP packet out to a
remote host on port 53 - looks like DNS. I don't normally allow UDP in from
the outside because it's too hard to track, but in this case, I'll open a
teeny hole in my firewall FROM the remote host FROM port 53 TO the host that
asked for it TO the port they asked for it from. I'll keep it open for about
a minute and then slam it shut again.


>    stateful inspection

Ask Checkpoint. Oh wait, don't ask them - ask someone with a _good_
implementation. ;) (Go on...flame me. I dare you....)

This is complicated. To understand the concept, however, this may serve.

TCP has fairly strict rules about what goes on in a conversation. There are
handshakes. There are sequence numbers. There are windows. A SYN needs to
come before a SYN/ACK and PSH comes after them, and lord help us if we get a
weird SYN/ACK/URG when the state machine is in FIN_WAIT_2 - we might have to
RST etc etc etc. Basically it's tricky.

There are lots of TCP attacks based on how tricky it is where hackers try to
break the rules in such a way that the end systems get all confused and the
hackers win and eat our data.

To save poor little Windows '95 boxes all the trouble of having a well-coded
TCP stack, a stateful inspection box will check all the conversations
passing through it and make sure that everyone is following the rules. It's
a lot harder for hackers to bust stuff if they have to follow _all_ the
rules instead of just some of them.

And this is different to dynamic packet filtering how? One (dynamic
filtering) adapts what is allowed and what isn't based on things that
happen. The other (stateful packet filter) is essentially a traffic cop that
makes sure that the traffic we have decided to allow is all nice and legal.
They are complementary tech - a merits argument between them would be silly.

Hopefully this helps a bit.

Cheers,

--
Ben Nagy
Network Consultant, CPM&S Group of Companies
PGP Key ID: 0x1A86E304  Mobile: +61 414 411 520