nanog mailing list archives
Re: Assymetric Routing / Statefull Inspection Firewall
From: Steve Gibbard <scg () gibbard org>
Date: Tue, 16 Mar 2004 23:51:24 -0800 (PST)
On Tue, 16 Mar 2004 alex () pilosoft com wrote:
If you are asking for stateful filtering for a firewall that sees only one-way conversation, it does not exist and cannot exist, by definition.
On a purely theoretical level, I'll disagree. A stateful inspection firewall needs to know about the packets going in one direction to do something intelligent with the packets going in one direction. That does not mean the firewall needs to see all the packets, just that it needs to know about them. Systems for communicating information about flows and state between firewalls exist. Cisco does this on the PIXes for redundant firewalls, so that a fail-over can happen without connections being dropped. I assume other firewall manufacturers do that in this context as well. What would be needed in this case would be to have the firewalls at the various different network entry points share information about connection state with eachother. This sounds pretty easy, but whether the information sharing would happen fast enough to process return traffic on a new connection is a question I don't know the answer to. I don't know if anybody is making firewalls that actually do this. -Steve
Current thread:
- Assymetric Routing / Statefull Inspection Firewall Mike Turner (Mar 16)
- Re: Assymetric Routing / Statefull Inspection Firewall alex (Mar 16)
- Re: Assymetric Routing / Statefull Inspection Firewall Steve Gibbard (Mar 17)
- Re: Assymetric Routing / Statefull Inspection Firewall Patrick W . Gilmore (Mar 16)
- Re: Assymetric Routing / Statefull Inspection Firewall Chris Brenton (Mar 17)
- Re: Assymetric Routing / Statefull Inspection Firewall alex (Mar 16)