Firewall Wizards mailing list archives
Re: Firewalls that generate new packets..
From: Darren Reed <Darren.Reed () Sun COM>
Date: Tue, 27 Nov 2007 19:23:24 -0800
Marcus J. Ranum wrote:
Darden, Patrick S. wrote:
...
*stateless: i.e. extended ACLs that merely look for syns/acks or less--e.g. if it has the proper syns/acks let it through. This is a recipe for DOS disaster of course. Connection hijacking. You name it. Stateless would not just include firewalls that only look for proper syns/acks--it would also include less artful firewalls that don't even do something that complex.Let's take MITM and DOS off the table. No firewall will protect you against either of those.
Understanding what DOS is appears to be a problem for a *lot* of people. Lots of people seem to fail to understand what the real problem is - the saturation of your network (connection) with packets that you don't want anything to do with at a point at which you've got no control over. What's more, people seem to think that you can just filter out DOS attacks. Will someone please give me a cricket bat (or baseball bat) so I can apply some proper instruction? *sigh* As Marcus said, no firewall, be it stateless, stateful, proxy, or otherwise can help you against DOS. ...
*virtual stateful: keep a matrix of connections, but do nothing with tcp sequence #s. This is a little better than the above, in that improper resets would be ignored (e.g. that Charter business where they were sending resets back to p2p clients).What is an improper reset? Is that an out-of-sequence reset? ...
Marcus, don't you find it funny that people are coming up with new terms to describe technology that is even more lame than what has been available via open source for more than 10 years now?
Stream inspection (deep packet inspection) would be even better.Is "deep packet inspection" stream inspection? ... What I'm getting at is that the industry was sold a gigantic bill of goods (or load of bull, depending on your preferred metaphor) in the form of "stateful inspection" and is re-subscribing for another load called "deep packet inspection." Put another way: "Where's the 'deep'?"
I think 'deep' is more of a reference about how far they'd like you to reach into your pocket - again - so they can get their product bell curve to turn the right way :-) ...
*stateful with deep packet inspection: a connection matrix is kept, mindful of sequence #s, checking to make sure that only proper protocols are allowed, and additionally checking for application level sanity--e.g. squid, a web application proxy that allows for various levels of sanity checking on http commands, can ensure that requests follow RFCs, allows a lot of custom filtering/sanitizing such as regexp type addons for getting rid of pop-ups, malware, pushes that might break cgi boundaries, etc.Now, you're cooking with gas.
You know for a while, one of my favourite HTTP commands to a proxy was "CONNECT". telnet straight through someone's firewall that was HTTP only ;-) I forget how it went, but something like this: CONNECT http://12.34.56.78:23 HTTP/1.0 and sometime later, I'd happily see this: SunOS foo login: Of course now people restrict CONNECT to the more usual ports, such as 443 but since 443 is normally encrypted, it is uncommon for any content filtering to be applied to it... Does your ssh server /also/ run on port 443? ;) ...
Is it possible that a "firewall" is largely "a router with a sticker on it that says 'firewall'?"
The ADSL+router+NAT+Firewall you buy from Safeway at $29.95 probably is just that :-)
... Unless it's doing a lot of useful "deep" stuff at layer-7, I'd say that might be the situation. The question I want you all to start asking is: "What's 'deep' about that?"
I first heard the term "deep packet inspection" around 5 years ago and nothing I've seen or heard since then has convinced me that it is anything other than a marketting term, used by people trying to sell _something_ (be it themselves, their ideas or products) that you'd otherwise not think twice about. And it is the lack of definition about what "deep packet inspection" is that continues to make it sound good. Nobody appears to have a precise definition, so everyone can claim it (for different reasons.) I mean, would you buy a firewall that did stateful filtering, proxying or deep packet inspection? I mean, what sounds sexier? Darren _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Firewalls that generate new packets.., (continued)
- Re: Firewalls that generate new packets.. Paul Melson (Nov 26)
- Re: Firewalls that generate new packets.. Jim Seymour (Nov 26)
- Re: Firewalls that generate new packets.. Marcus J. Ranum (Nov 26)
- Re: Firewalls that generate new packets.. Jim Seymour (Nov 26)
- Re: Firewalls that generate new packets.. Darren Reed (Nov 28)
- Re: Firewalls that generate new packets.. Marcus J. Ranum (Nov 28)
- Re: Firewalls that generate new packets.. Paul Melson (Nov 27)
- Re: Firewalls that generate new packets.. Marcus J. Ranum (Nov 27)
- Re: Firewalls that generate new packets.. Darden, Patrick S. (Nov 27)
- Re: Firewalls that generate new packets.. Marcus J. Ranum (Nov 27)
- Re: Firewalls that generate new packets.. Darren Reed (Nov 27)
- Re: Firewalls that generate new packets.. Darden, Patrick S. (Nov 28)
- Re: Firewalls that generate new packets.. Jerry B. Altzman (Nov 28)
- Re: Firewalls that generate new packets.. Marcus J. Ranum (Nov 28)
- Re: Firewalls that generate new packets.. Darren Reed (Nov 28)
- ***SPAM*** Re: Firewalls that generate new packets.. Dave Piscitello (Nov 28)
- Re: Firewalls that generate new packets.. Darden, Patrick S. (Nov 29)
- Re: Firewalls that generate new packets.. Darren Reed (Nov 30)
- Re: Firewalls that generate new packets.. Paul D. Robertson (Nov 30)
- Re: Firewalls that generate new packets.. Fetch, Brandon (Nov 30)
- ***SPAM*** Re: Firewalls that generate new packets.. Dave Piscitello (Nov 30)