Re: how to determine whether a firewall is stateful

[firewalls () msg net]

> Even easier, run nmap -p0 -sA ... from the public towards on server on the
> private side (like an internal web server). Nmap will send a TCP ACK
> without an established connection. If you received a RST packet, you are
> not stateful.

When we first came up with ISIC I worked on this issue with several of my
'firewall wrecking crew' buddies, and found several cases where ACK would
be blocked, but other strange packets would leak.


> Else, you are at least keeping one state.
>
> But, being stateful at layer 4 is more complex than that: do you check
> sequence number ? what about IP fragmentation ?
>
> and what about L7 states ?
>
> There is no easy answer

It is a difficult problem.

Mike Scher (Neohapsis) has developed software for testing the 'statefulness'
of a stateful inspection firewall, and published their test results for a
number of firewalls.

The Network Computing article is reproduced here:

http://cnscenter.future.co.kr/resource/security/firewall/1223f2_file.pdf


Kevin Kadow
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards