Firewall Wizards mailing list archives
RE: FW Sequence Number based statefulness
From: Nimesh vakharia <nvakhari () clio rad sunysb edu>
Date: Mon, 14 May 2001 18:28:46 -0400 (EDT)
thanks, thats what I expected.. there is also an opinion out there that if u go to the extent of maintaining statefulness based on sequencing to keep the bad boys out then you might as well go all the way with it. (ie buffer for out of sequence) and match them byte to byte. This would require a thorough statistical analysis of what would be a good buffer to maintain per connection, also as to how it affects the client server window sizes since they are seeing packets in sequence... effects on tcp congestion avoidance mechanisms etc.. Obviously you are compromising net thruput for security.. but something to look into.. Anyway thanks for your input... Nimesh. On Mon, 14 May 2001, Peter Crocker wrote:
Nimesh, TCP sequence checking monitors and validates the serialization of bytes. Sequence checking involves continuous learning and remembering the (trusted client) TCP byte sequence counter, and validating the receipt (untrusted server) acknowledgements. It verifies the untrusted acknowledgement number is in the range of the trusted sequence number and window. (The window may use an appropriately selected fixed value, say 32 or 64K, rather than strictly monitoring the window. The implementation may also verify trusted acknowledgement number against the untrusted sequence number, but this may not be necessary.) If the packets received by the firewall have TCP sequence numbers outside of the window for the given session, the packet is typically dropped. Regards, Peter -----Original Message----- From: Nimesh vakharia [mailto:nvakhari () clio rad sunysb edu] Sent: Monday, May 14, 2001 10:02 PM To: Peter Crocker Cc: 'Carson Gaspar'; firewall-wizards () nfr com Subject: RE: [fw-wiz] FW Sequence Number based statefulness Thanks, but the white paper is not clear how it maintains state using sequence numbers? What does the firewall do in case it sees an out of sequence packet(s)? Nimesh. On Mon, 14 May 2001, Peter Crocker wrote:You should expect this from any firewall product that does stateful inspection of packets. You should also expect a lot more than justsequencenumber checking. For example, here is how NetScreen implements stateful inspection: http://www.netscreen.com/products/firewall_wpaper.html Regards, Peter -----Original Message----- From: Carson Gaspar [mailto:carson () taltos org] Sent: Sunday, May 13, 2001 12:08 AM To: Nimesh vakharia; firewall-wizards () nfr com Subject: Re: [fw-wiz] FW Sequence Number based statefulness --On Thursday, May 10, 2001 9:16 PM -0400 Nimesh vakharia <nvakhari () clio rad sunysb edu> wrote:Are there any firewalls out there that maintain state using sequence numbers in addition to port/IP etc..?Darren Reed's free ipfilter does. I'm fairly sure the PIX does (since it can re-write sequence numbers), but I can't be certain (love that Cisco documentation...). -- Carson _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards
_______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: FW Sequence Number based statefulness Peter Crocker (May 16)
- RE: FW Sequence Number based statefulness Nimesh vakharia (May 16)
- RE: FW Sequence Number based statefulness Carson Gaspar (May 16)
- RE: FW Sequence Number based statefulness Ofir Arkin (May 16)
- <Possible follow-ups>
- RE: FW Sequence Number based statefulness Nimesh vakharia (May 16)