Firewall Wizards mailing list archives
Re: how to determine whether a firewall is stateful
From: Mikael Olsson <mikael.olsson () clavister se>
Date: Mon, 18 Mar 2002 01:18:13 +0100
Ofir, Ofir Arkin wrote:
opening a TCP port and monitoring the TCP state is not being stateful when you let all the garbage in utilizing the application. Because my friends, a lot of applications have their own state to monitor.
I beg to differ. What you are describing here is a full application layer gateway that knows more than each and every "proxy" firewall knows about the protocols that they transport. Drawing your conclusion to its logical extreme, one could say "No, this is not a stateful inspection firewall. It does not know the state of the cpu stack on the peers. That's at least one state that it does not track, and hence it is not stateful". I would argue, and I believe that most here would agree, that what we expect of "stateful" is pretty much "poking a reverse hole to a connection that was allowed by our rule set". Yes, most of us would expect it to track at least the initial three-way-handshake. (Whoops, fw-1 usually doesn't do that.) Some believe that "stateful" automatically means tracking of sequence numbers and such. Sorry; you've been had. From what I know of the current marketplace, most stateful inspection firewalls don't do that. At least not beyond the initial three-way handshake (if that). So, where is the logic in trying to mandate that a stateful inspection firewall should inspect all the state in layer seven? I mean, come on, the reason stateful inspection / dynamic filtering became so popular is that it usually DOESN'T inspect layer seven, which makes it easier to allow new protocols. It was also the "death" of proxy firewalls (well, at least market share wise). And not even proxy firewalls were/are that good at following application state. Regards, Mikael Olsson ps. Part of me agrees that firewalls in general should be inspecting more L7 stuff. But the pragmatic in me tells me that this is futile, given the sheer bulk of protocols _and_ _software_ in wide use today. Unless, of course, you're attempting to build the Ultimately Secure Firewall, which no-one will buy. -- Mikael Olsson, Clavister AB Storgatan 12, Box 393, SE-891 28 ÖRNSKÖLDSVIK, Sweden Phone: +46 (0)660 29 92 00 Mobile: +46 (0)70 26 222 05 Fax: +46 (0)660 122 50 WWW: http://www.clavister.com "Smile; today is the tomorrow you worried about yesterday!" _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- how to determine whether a firewall is stateful or just a simple packet filter? ·ç·ç (Mar 12)
- Re: how to determine whether a firewall is stateful or just a simple packet filter? R. DuFresne (Mar 13)
- Re: how to determine whether a firewall is stateful or just a simple packet filter? Jose Nazario (Mar 13)
- Re: how to determine whether a firewall is stateful or just a simple packet filter? Daniel.Deremiah (Mar 13)
- Message not available
- Re: how to determine whether a firewall is stateful or just a simple packet filter? Eric Vyncke (Mar 15)
- Re: how to determine whether a firewall is stateful or just a simple packet filter? Barney Wolff (Mar 15)
- Re: how to determine whether a firewall is stateful firewalls (Mar 15)
- RE: how to determine whether a firewall is stateful Ofir Arkin (Mar 17)
- Re: how to determine whether a firewall is stateful Mikael Olsson (Mar 29)
- Re: how to determine whether a firewall is stateful or just a simple packet filter? Eric Vyncke (Mar 15)