Firewall Wizards mailing list archives

Re: FW and TCP Sessions

From: "Marcus J. Ranum" <mjr () ranum com>
Date: Tue, 01 Jun 2004 09:22:31 -0400

Manoj Kumar Neelapareddy wrote:

if a FW is said to be a stateful firewall, then will
it allow a TCP packet to pass through it(outbound), if
i haven't sent a TCP SYN to initiate a TCP Session
before sending this TCP packet?


Manoj, "stateful" is a marketing term, invented by marketers, and
means whatever it means - there's no shared understanding of
what a "stateful" firewall is or does except that "everyone knows
that it's better than just 'packet filtering'"

"Packet filtering" firewalls are ones that process traffic
using header information only, without carrying forward
any context or "state".  Note that the "state" that is
carried by TCP itself is almost entirely in the sequence
number and the SYN/ACK flags in the packet. So a
"stateful" firewall *might* do:
        - SYN checking
        - TCP sequence checking
        - firewall-specific internal state tracking; i.e.:
                remembering which interface the
                SYN packet came in on
        - layer 7 protocol positioning

As far as I have ever been able to tell, the first "stateful"
firewalls were hardly more "stateful" than flagging the
interface the SYN packet came in on, and snagging bits
of layer 7 protocol (without addressing fragmentation!)
for some app protocols like FTP.

In every possible sense of the term, proxy firewalls are
"stateful" since they typically are doing TCP and application
termination and that requires doing all the things a stack
would. How "stateful" became equated with "good" when
it's actually a *subset* of what a good firewall does is a
tribute to marketing genius and the customers' desires
to make themselves comfortable with marginal but
attractive technology. New generation "stateful"
firewalls aren't bad at all and many are doing a lot of
layer 7 work and nearly all of TCP processing. I am largely
critical of the early "stateful" firewalls that were little more
than a pimped-up screening router that cost 10X as much.
Nowadays "stateful" firewalls are excellent products that
are almost as good as dumbed-down proxy firewalls.

I heard that Statefull firewall won't allow any TCP
packets, other than TCP SYNs to pass through it, if
there is no session corresponding a TCP packet is
maintained in FW's session table.


Pretty much, that's it!

That's actually a second generation "stateful" firewall.
1st generation just kept a state table about what
interface the SYN came in on. 2nd generation ones
were "smart" enough to do some TCP sequence-tracking.

Depending on the firewall, it's an open question what
the firewall does when it encounters a packet that
appears to be part of a TCP which it has not seen
the beginning of. Some products are permissive for a
while after they are rebooted and will accept the
traffic. This is a thorny problem and equates to an
acceptance of vulnerability that I'm not comfortable
with.

mjr. 

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

FW and TCP Sessions Manoj Kumar Neelapareddy (Jun 01)
- Re: FW and TCP Sessions backup (Jun 01)
- Re: FW and TCP Sessions cs 2004 (Jun 01)
- Re: FW and TCP Sessions Henning Brauer (Jun 01)
- Re: FW and TCP Sessions Marcus J. Ranum (Jun 01)
- <Possible follow-ups>
- Re: FW and TCP Sessions firewalladmin (Jun 01)