RE: how to determine whether a firewall is stateful

["Ofir Arkin" <ofir () sys-security com>]

All,

I debated a bit before joining in for this thread. 

All of the given replies did not talk about what the hack is stateful,
and what stateful represents. And no, stateful is not only about TCP
(although it is one of the biggest problems to overcome when trying to
be stateful).

Stateful in my opinion is not only the underlying transport protocols
you are using or protocols at the IP layer, or at the physical layer.
Stateful is also about application specific protocols, and insight about
what the hell goes with the application. Of course that first you need
to be able to support TCP, UDP, ICMP, ARP and RARP (G, I guess not all
supporting those nice protocols) and than you need to shoot for
application based protocols. 

[Do not bother send me questions why I did not include IP here... :)]

There is a lot of hype and documentation war about this kind of
definitions. And I am sorry to say that sometimes vendors play the game.
A good example is Marcus Ranum's excellent paper about IDS testing...

The article @ network computing was nice until I gave a look at the
machines/systems used...

Netscreen sent a Netscreen 1000 which is the top of the line of their
product line... 90,000 USD. Other companies were not lagging that far.
But if you really looked you could see Checkpoint's NG at only 11,500
USD. And people who are familiar with Checkpoint's and Nokia platforms
knows that you can get more when you pick specific hardware which will
be more costly and you will enhance your performance.

And for the last paragraph of my post - NO opening a TCP port and
monitoring the TCP state is not being stateful when you let all the
garbage in utilizing the application. Because my friends, a lot of
applications have their own state to monitor.

Just my 2c for Saint Patrice's day 

Ofir Arkin [ofir () sys-security com]
Founder
The Sys-Security Group
http://www.sys-security.com
PGP CC2C BE53 12C6 C9F2 87B1 B8C6 0DFA CF2D D360 43FA  

-----Original Message-----
From: firewall-wizards-admin () nfr com
[mailto:firewall-wizards-admin () nfr com] On Behalf Of firewalls () msg net
Sent: 15 March 2002 18:19
To: firewall-wizards () nfr com
Subject: Re: [fw-wiz] how to determine whether a firewall is stateful

> Even easier, run nmap -p0 -sA ... from the public towards on server on
the
> private side (like an internal web server). Nmap will send a TCP ACK
> without an established connection. If you received a RST packet, you
are
> not stateful.

When we first came up with ISIC I worked on this issue with several of
my
'firewall wrecking crew' buddies, and found several cases where ACK
would
be blocked, but other strange packets would leak.


> Else, you are at least keeping one state.
>
> But, being stateful at layer 4 is more complex than that: do you check
> sequence number ? what about IP fragmentation ?
>
> and what about L7 states ?
>
> There is no easy answer

It is a difficult problem.

Mike Scher (Neohapsis) has developed software for testing the
'statefulness'
of a stateful inspection firewall, and published their test results for
a
number of firewalls.

The Network Computing article is reproduced here:

http://cnscenter.future.co.kr/resource/security/firewall/1223f2_file.pdf


Kevin Kadow
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards


_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards