Re: Firewalls that generate new packets..

[Darren Reed <Darren.Reed () Sun COM>]

Marcus J. Ranum wrote:

> Darden, Patrick S. wrote:
>  
...

> > *stateless:     i.e. extended ACLs that merely look for syns/acks 
> > or less--e.g. if it has the proper syns/acks let it through.
> > This is a recipe for DOS disaster of course.  Connection
> > hijacking.  You name it.  Stateless would not just include
> > firewalls that only look for proper syns/acks--it would also
> > include less artful firewalls that don't even do something
> > that complex.
> >    
>
> Let's take MITM and DOS off the table. No firewall will
> protect you against either of those.
>  

Understanding what DOS is appears to be a problem for a
*lot* of people.  Lots of people seem to fail to understand
what the real problem is - the saturation of your network
(connection) with packets that you don't want anything to
do with at a point at which you've got no control over.

What's more, people seem to think that you can just filter
out DOS attacks.  Will someone please give me a cricket
bat (or baseball bat) so I can apply some proper instruction?
*sigh*

As Marcus said, no firewall, be it stateless, stateful, proxy,
or otherwise can help you against DOS.


...

> > *virtual stateful: keep a matrix of connections, but do nothing 
> > with tcp sequence #s.  This is a little better than the above,
> > in that improper resets would be ignored (e.g. that Charter
> > business where they were sending resets back to p2p clients).
> >    
>
> What is an improper reset? Is that an out-of-sequence reset?
> ...
>  

Marcus, don't you find it funny that people are coming up
with new terms to describe technology that is even more
lame than what has been available via open source for more
than 10 years now?


> > Stream inspection (deep packet inspection) would be even better.
> >    
>
> Is "deep packet inspection" stream inspection?
> ...
> What I'm getting at is that the industry was sold a gigantic
> bill of goods (or load of bull, depending on your preferred
> metaphor) in the form of "stateful inspection" and is
> re-subscribing for another load called "deep packet inspection."
>
> Put another way:
> "Where's the 'deep'?"
>  

I think 'deep' is more of a reference about how far they'd like
you to reach into your pocket - again - so they can get their
product bell curve to turn the right way :-)

...

> > *stateful with deep packet inspection: a connection matrix 
> > is kept, mindful of sequence #s, checking to make sure that 
> > only proper protocols are allowed, and additionally checking
> > for application level sanity--e.g. squid, a web application
> > proxy that allows for various levels of sanity checking on 
> > http commands, can ensure that requests follow RFCs, allows a 
> > lot of custom filtering/sanitizing such as regexp type addons 
> > for getting rid of pop-ups, malware, pushes that might break
> > cgi boundaries, etc.
> >    
>
> Now, you're cooking with gas.
>  

You know for a while, one of my favourite HTTP commands
to a proxy was "CONNECT".  telnet straight through
someone's firewall that was HTTP only ;-)

I forget how it went, but something like this:
CONNECT http://12.34.56.78:23 HTTP/1.0

and sometime later, I'd happily see this:

SunOS foo
login:

Of course now people restrict CONNECT to the more usual
ports, such as 443 but since 443 is normally encrypted, it
is uncommon for any content filtering to be applied to it...

Does your ssh server /also/ run on port 443? ;)


...

> Is it possible that a "firewall" is largely "a router
> with a sticker on it that says 'firewall'?"
>  

The ADSL+router+NAT+Firewall you buy from Safeway at
$29.95 probably is just that :-)


> ...
> Unless it's doing a lot of useful "deep" stuff at
> layer-7, I'd say that might be the situation.
>
> The question I want you all to start asking is:
> "What's 'deep' about that?"
>  

I first heard the term "deep packet inspection" around 5 years
ago and nothing I've seen or heard since then has convinced me
that it is anything other than a marketting term, used by people
trying to sell _something_ (be it themselves, their ideas or products)
that you'd otherwise not think twice about.

And it is the lack of definition about what "deep packet inspection"
is that continues to make it sound good.  Nobody appears to have a
precise definition, so everyone can claim it (for different reasons.)

I mean, would you buy a firewall that did stateful filtering, proxying
or deep packet inspection?  I mean, what sounds sexier?

Darren

_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards