Firewall Wizards mailing list archives
Re: Firewalls that generate new packets..
From: "Marcus J. Ranum" <mjr () ranum com>
Date: Tue, 27 Nov 2007 11:14:22 -0500
Paul Melson wrote:
State tables allow your firewall to have a deny-all default inbound policy and an allow-all default outbound policy.
Thanks for playing. A router with "established" SYN/ACK filtering gives you exactly the same thing, with basically the same degree of assurance. If all you're doing is setting up a "one way mirror" style policy it's a no-brainer. If you're allowing incoming traffic to targets behind the firewall then it's a layer-7 problem for the service on the target - unless the firewall is doing some additional layer-7 security. (hint: regexp match causes packet drop is "deep packet inspection") What I'm trying to get people to understand is that there are these cool sounding marketing terms like "stateful" and "deep packet" which, when you look under the covers, are basically not doing a whole lot. Yet, because they have been so effectively marketed, they have been accepted as terms of art without any examination at all. Kind of like the way "alternative medicine" has been accepted as "medicine" without passing the all-important stage at which it has to prove it actually does something. That is exactly why I used the term "placebo" for "stateful inspection"; accupuncture patients report the same degree of improvement in controlled studies as patients that receive fake accupuncture. If a network protected by a correctly configured router+ACLs and layer-7 controls is just as safe as a network protected by a correctly configured "stateful inspection" firewall and layer-7 controls then what does that tell you? In a "stateful" firewall the state is all held in the firewall, but in a router+ACLs relying on TCP SYN/ACK semantics the state is held in the endpoint/target's IP stack. What happens if I send a packet to a target that has ACK set but that is not part of a TCP stream that has been established in the target's IP stack? Compare and contrast this with what happens if I send a packet toward a "stateful" firewall that is not part of an established stream. Second question: what does the "stateful" firewall do if the un-established packet (i.e.: not associated with a known stream) comes at it from the "authorized" side of the network or interface or IP range? By exploring questions like these, we can realize what a "stateful inspection" firewall actually does. I don't expect to change anyone's mind on this topic. After all, homeopathy, accupuncture, chiropractic, energy therapy, etc - have been revealed as placebos for decades, yet huge amounts of money are still spent on them because anecdotal evidence carries a great deal of weight in human affairs. After all, who has done side-by-side comparisons between "stateful inspection" firewalls an just a plain old router? Everyone always does side-by-side comparisons between various brands of firewalls - and all they can think of to measure is performance. Doesn't that tell you something? If you have a device that purports to do security, and you can't measure anything about its purported security properties, shouldn't that peg your skeptico-meter? Last topic: "inspection" The term "inspection" has been successfully glued onto these devices by marketing weasels for over a decade. Can anyone tell me what "inspection" is going on? What is inspected, and how, and what decisions are made as a result of that inspection? I can easily enumerate the "inspection" done by early Checkpoint firewalls. It was "inspecting" the FTP command stream for lines beginning with "PORT...." and dynamically opening a return-hole rule for the ( source, destination ) pair. mjr. _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Firewalls that generate new packets.., (continued)
- Re: Firewalls that generate new packets.. Paul D. Robertson (Nov 25)
- Re: Firewalls that generate new packets.. Marcus J. Ranum (Nov 25)
- Re: Firewalls that generate new packets.. Marcin Antkiewicz (Nov 26)
- Re: Firewalls that generate new packets.. Paul Melson (Nov 26)
- Re: Firewalls that generate new packets.. Jim Seymour (Nov 26)
- Re: Firewalls that generate new packets.. Marcus J. Ranum (Nov 26)
- Re: Firewalls that generate new packets.. Jim Seymour (Nov 26)
- Re: Firewalls that generate new packets.. Darren Reed (Nov 28)
- Re: Firewalls that generate new packets.. Marcus J. Ranum (Nov 28)
- Re: Firewalls that generate new packets.. Paul D. Robertson (Nov 25)
- Re: Firewalls that generate new packets.. Paul Melson (Nov 27)
- Re: Firewalls that generate new packets.. Marcus J. Ranum (Nov 27)
- Re: Firewalls that generate new packets.. Darden, Patrick S. (Nov 27)
- Re: Firewalls that generate new packets.. Marcus J. Ranum (Nov 27)
- Re: Firewalls that generate new packets.. Darren Reed (Nov 27)
- Re: Firewalls that generate new packets.. Darden, Patrick S. (Nov 28)
- Re: Firewalls that generate new packets.. Jerry B. Altzman (Nov 28)
- Re: Firewalls that generate new packets.. Marcus J. Ranum (Nov 28)
- Re: Firewalls that generate new packets.. Darren Reed (Nov 28)
- ***SPAM*** Re: Firewalls that generate new packets.. Dave Piscitello (Nov 28)
- Re: Firewalls that generate new packets.. Darden, Patrick S. (Nov 29)
- Re: Firewalls that generate new packets.. Darren Reed (Nov 30)