Firewall Wizards mailing list archives

Re: how to determine whether a firewall is stateful

From: Mikael Olsson <mikael.olsson () clavister se>
Date: Mon, 18 Mar 2002 01:18:13 +0100


Ofir,

Ofir Arkin wrote:


opening a TCP port and monitoring the TCP state is not being stateful 
when you let all the garbage in utilizing the application. Because 
my friends, a lot of applications have their own state to monitor.


I beg to differ. What you are describing here is a full application
layer gateway that knows more than each and every "proxy" firewall
knows about the protocols that they transport.

Drawing your conclusion to its logical extreme, one could say
"No, this is not a stateful inspection firewall. It does
not know the state of the cpu stack on the peers. That's
at least one state that it does not track, and hence it is
not stateful".


I would argue, and I believe that most here would agree, that
what we expect of "stateful" is pretty much "poking a reverse 
hole to a connection that was allowed by our rule set".

Yes, most of us would expect it to track at least the initial
three-way-handshake. (Whoops, fw-1 usually doesn't do that.)

Some believe that "stateful" automatically means tracking
of sequence numbers and such. Sorry; you've been had. From
what I know of the current marketplace, most stateful 
inspection firewalls don't do that. At least not beyond the
initial three-way handshake (if that).


So, where is the logic in trying to mandate that a stateful 
inspection firewall should inspect all the state in layer seven? 
I mean, come on, the reason stateful inspection / dynamic filtering 
became so popular is that it usually DOESN'T inspect layer seven, 
which makes it easier to allow new protocols. It was also the 
"death" of proxy firewalls (well, at least market share wise). And 
not even proxy firewalls were/are that good at following application 
state.


Regards,
Mikael Olsson

ps.
Part of me agrees that firewalls in general should be inspecting 
more L7 stuff. But the pragmatic in me tells me that this is 
futile, given the sheer bulk of protocols _and_ _software_ in 
wide use today. Unless, of course, you're attempting to build 
the Ultimately Secure Firewall, which no-one will buy.



-- 
Mikael Olsson, Clavister AB
Storgatan 12, Box 393, SE-891 28 Ă–RNSKĂ–LDSVIK, Sweden
Phone: +46 (0)660 29 92 00   Mobile: +46 (0)70 26 222 05
Fax: +46 (0)660 122 50       WWW: http://www.clavister.com

"Smile; today is the tomorrow you worried about yesterday!"
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards

Current thread:

how to determine whether a firewall is stateful or just a simple packet filter? ·ç·ç (Mar 12)
- Re: how to determine whether a firewall is stateful or just a simple packet filter? R. DuFresne (Mar 13)
- Re: how to determine whether a firewall is stateful or just a simple packet filter? Jose Nazario (Mar 13)
- Re: how to determine whether a firewall is stateful or just a simple packet filter? Daniel.Deremiah (Mar 13)
- Message not available
  - Re: how to determine whether a firewall is stateful or just a simple packet filter? Eric Vyncke (Mar 15)
    - Re: how to determine whether a firewall is stateful or just a simple packet filter? Barney Wolff (Mar 15)
    - Re: how to determine whether a firewall is stateful firewalls (Mar 15)
    - RE: how to determine whether a firewall is stateful Ofir Arkin (Mar 17)
    - Re: how to determine whether a firewall is stateful Mikael Olsson (Mar 29)