Firewall Wizards mailing list archives
Re: Firewalls that generate new packets..
From: "Marcus J. Ranum" <mjr () ranum com>
Date: Sun, 25 Nov 2007 21:41:29 -0500
One of the fun questions I used to ask my firewalls tutorial attendees (back in the day) is: What is a stateful inspection firewall? I.e.: what does it DO? The answers are usually illuminating. Nobody seems to actually know. But after some hemming and hawwing you can often converge on something like: "A stateful firewall builds virtual session state based on its permission tables and tracks packets back and forth." That opens some fun questions like: "What does it apply to do this tracking?" And the usual answer is something like: - source - destination - source port - destination port - and _MAYBE_ sequence number (or maybe just a 1 in stream->permit) What about packets that are out of window? What's the size of the window? How is the window computed? What about packets out of sequence? What about fragments? What about overlapping packet fragments? Well, the answers to those questions seem fairly hard to get, for virtually all of the commercial firewalls. But, gee, the answers to those questions (which would comfortably fit on a post-it note) are the entire "design" of a "stateful firewall" right there. Isn't that kind of amazing? People look at these "stateful firewalls" as if they're somehow doing something IMPORTANT but they're basically a router with "established" and a kind of "synthetic established" for UDP. People, that's barely a security device at all - 99% of what you're getting is the "firewall" sticker on the front. The value these devices offer above and beyond router ACLs is so ridiculously marginal that there's no justification in my mind for their additional cost. Sure, they "do something" with UDP, but the significant stuff you'll bump into with UDP is all layer-7 regarding DNS. In fact, the value proposition of a "stateful firewall" is effectively zero and you can replace it with some layer-7 hardening and a router with port-level ACLs. Note that layer-7 hardening is already required - which is a darned good thing because "stateful firewalls" do - well - what DO they do - at layer-7? Layer-7 is where all the interesting attacks are, nowadays, right? I submit to you that the reason it's hard to find out what a "stateful firewall" actually does is because they do so little that it is positively embarrassing. Not to let the proxies off the hook - most proxies are also mysterious black boxes that work at layer-7 and "do something" - but, what? The original value of the proxy concept was not to have a proxy that works cleanly and easily with everything. The original value of the proxy concept was protocol minimization. You only need 5 operations to send me an SMTP email message - so those are the 5 operations you get, and nothing more. That whole model started to fall apart in the mid 1990s when there was a plethora of new bad software that implemented the existing bad protocols in new bad ways. And, of course, there are the standards pukes, constantly working to add new important bad options to existing bad software, so as to make the firewalls increasingly complex. The market reality of the firewall industry has forced the proxy vendors (I guess it's really Secure Computing, now...) to compete with the "stateful inspection" crap by handling more protocol options and variant forms. Too bad. Security is such a disaster because we're fighting and losing a battle with software complexity and extravagantly stupid software specifications. Firewalls, rather than acting as bastions against the complexity, have "adapted" by succumbing to that complexity themselves. In another 10 years, if I'm still around, I'll probably work up the energy for an "I told you so" posting. But I've done that so many times I'm getting as tired of doing it as you guys probably are of hearing it. mjr. _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Firewalls that generate new packets.., (continued)
- Re: Firewalls that generate new packets.. Marcus J. Ranum (Nov 26)
- Re: Firewalls that generate new packets.. Paul Melson (Nov 25)
- Re: Firewalls that generate new packets.. pkc_mls (Nov 19)
- Re: Firewalls that generate new packets.. lordchariot (Nov 21)
- Re: Firewalls that generate new packets.. Marcus J. Ranum (Nov 23)
- Re: Firewalls that generate new packets.. jdgorin (Nov 21)
- Re: Firewalls that generate new packets.. Dave Piscitello (Nov 21)
- Re: Firewalls that generate new packets.. jdgorin (Nov 21)
- Re: Firewalls that generate new packets.. Bill McGee (bam) (Nov 25)
- Re: Firewalls that generate new packets.. Paul D. Robertson (Nov 25)
- Re: Firewalls that generate new packets.. Marcus J. Ranum (Nov 25)
- Re: Firewalls that generate new packets.. Marcin Antkiewicz (Nov 26)
- Re: Firewalls that generate new packets.. Paul Melson (Nov 26)
- Re: Firewalls that generate new packets.. Jim Seymour (Nov 26)
- Re: Firewalls that generate new packets.. Marcus J. Ranum (Nov 26)
- Re: Firewalls that generate new packets.. Jim Seymour (Nov 26)
- Re: Firewalls that generate new packets.. Darren Reed (Nov 28)
- Re: Firewalls that generate new packets.. Marcus J. Ranum (Nov 28)
- Re: Firewalls that generate new packets.. Paul D. Robertson (Nov 25)
- Re: Firewalls that generate new packets.. Paul Melson (Nov 27)
- Re: Firewalls that generate new packets.. Marcus J. Ranum (Nov 27)
- Re: Firewalls that generate new packets.. Darden, Patrick S. (Nov 27)