Firewall Wizards mailing list archives
RE: how to determine whether a firewall is stateful
From: "Ofir Arkin" <ofir () sys-security com>
Date: Sun, 17 Mar 2002 02:50:34 -0000
All, I debated a bit before joining in for this thread. All of the given replies did not talk about what the hack is stateful, and what stateful represents. And no, stateful is not only about TCP (although it is one of the biggest problems to overcome when trying to be stateful). Stateful in my opinion is not only the underlying transport protocols you are using or protocols at the IP layer, or at the physical layer. Stateful is also about application specific protocols, and insight about what the hell goes with the application. Of course that first you need to be able to support TCP, UDP, ICMP, ARP and RARP (G, I guess not all supporting those nice protocols) and than you need to shoot for application based protocols. [Do not bother send me questions why I did not include IP here... :)] There is a lot of hype and documentation war about this kind of definitions. And I am sorry to say that sometimes vendors play the game. A good example is Marcus Ranum's excellent paper about IDS testing... The article @ network computing was nice until I gave a look at the machines/systems used... Netscreen sent a Netscreen 1000 which is the top of the line of their product line... 90,000 USD. Other companies were not lagging that far. But if you really looked you could see Checkpoint's NG at only 11,500 USD. And people who are familiar with Checkpoint's and Nokia platforms knows that you can get more when you pick specific hardware which will be more costly and you will enhance your performance. And for the last paragraph of my post - NO opening a TCP port and monitoring the TCP state is not being stateful when you let all the garbage in utilizing the application. Because my friends, a lot of applications have their own state to monitor. Just my 2c for Saint Patrice's day Ofir Arkin [ofir () sys-security com] Founder The Sys-Security Group http://www.sys-security.com PGP CC2C BE53 12C6 C9F2 87B1 B8C6 0DFA CF2D D360 43FA -----Original Message----- From: firewall-wizards-admin () nfr com [mailto:firewall-wizards-admin () nfr com] On Behalf Of firewalls () msg net Sent: 15 March 2002 18:19 To: firewall-wizards () nfr com Subject: Re: [fw-wiz] how to determine whether a firewall is stateful
Even easier, run nmap -p0 -sA ... from the public towards on server on
the
private side (like an internal web server). Nmap will send a TCP ACK without an established connection. If you received a RST packet, you
are
not stateful.
When we first came up with ISIC I worked on this issue with several of my 'firewall wrecking crew' buddies, and found several cases where ACK would be blocked, but other strange packets would leak.
Else, you are at least keeping one state. But, being stateful at layer 4 is more complex than that: do you check sequence number ? what about IP fragmentation ? and what about L7 states ? There is no easy answer
It is a difficult problem. Mike Scher (Neohapsis) has developed software for testing the 'statefulness' of a stateful inspection firewall, and published their test results for a number of firewalls. The Network Computing article is reproduced here: http://cnscenter.future.co.kr/resource/security/firewall/1223f2_file.pdf Kevin Kadow _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- how to determine whether a firewall is stateful or just a simple packet filter? ·ç·ç (Mar 12)
- Re: how to determine whether a firewall is stateful or just a simple packet filter? R. DuFresne (Mar 13)
- Re: how to determine whether a firewall is stateful or just a simple packet filter? Jose Nazario (Mar 13)
- Re: how to determine whether a firewall is stateful or just a simple packet filter? Daniel.Deremiah (Mar 13)
- Message not available
- Re: how to determine whether a firewall is stateful or just a simple packet filter? Eric Vyncke (Mar 15)
- Re: how to determine whether a firewall is stateful or just a simple packet filter? Barney Wolff (Mar 15)
- Re: how to determine whether a firewall is stateful firewalls (Mar 15)
- RE: how to determine whether a firewall is stateful Ofir Arkin (Mar 17)
- Re: how to determine whether a firewall is stateful Mikael Olsson (Mar 29)
- Re: how to determine whether a firewall is stateful or just a simple packet filter? Eric Vyncke (Mar 15)