nanog mailing list archives
Re: I don't need no stinking firewall!
From: Simon Lockhart <simon () slimey org>
Date: Tue, 5 Jan 2010 20:39:06 +0000
On Tue Jan 05, 2010 at 02:16:58PM -0600, Brian Johnson wrote:
I have my own idea of what a firewall is and what it does. I also understand what statefull packet inspection is and what it does. Given this information, and not prejudging any responses, exactly what is a firewall for and when is statefull inspection useful?
Not sure I'd call myself a security guru, but... I'm not a great fan of packet filtering firewalls (as opposed to proxy based or application layer firewalls). Generally, I just use stateless ACLs when I need additional network level security. However, they do have one big disadvantage. Say you've got a server where you want to allow outbound HTTP access to anywhere on the Internet, but only SSH inbound from your home DSL. To do this, you'd build an inbound ACL which looks something like: - Allow from home DSL IP to server port 22 - Allow from anywhere port 80 to server - Deny all other traffic. You need the port 80 rule to allow the return traffic from all those outbound connections. However, an enterprising hacker realises that he can create a TCP connection from port 80 on his own box to port 22 on your server. Now, if you change from stateless to stateful ACLs, you add the intelligence that whenever it sees an connection originating from your server to port 80 on the internet, it automatically adds a rule that allows traffic back from the server you're talking to, but not anywhere else. Therefore, your enterprising hacker can no longer connect in. Of course, the other benefit that a stateful inspection firewall can do is pattern matching on undesirable traffic based on signatures Simon -- Simon Lockhart | * Sun Server Colocation * ADSL * Domain Registration * Director | * Domain & Web Hosting * Internet Consultancy * Bogons Ltd | * http://www.bogons.net/ * Email: info () bogons net *
Current thread:
- Re: I don't need no stinking firewall!, (continued)
- Re: I don't need no stinking firewall! William Pitcock (Jan 05)
- Re: I don't need no stinking firewall! Joe Greco (Jan 06)
- Re: I don't need no stinking firewall! Ryan Brooks (Jan 05)
- Re: I don't need no stinking firewall! Valdis . Kletnieks (Jan 06)
- RE: I don't need no stinking firewall! Brian Johnson (Jan 06)
- Re: I don't need no stinking firewall! Jared Mauch (Jan 06)
- Re: I don't need no stinking firewall! Dobbins, Roland (Jan 06)
- Re: I don't need no stinking firewall! juttazalud (Jan 06)
- Re: I don't need no stinking firewall! Dobbins, Roland (Jan 06)
- Re: I don't need no stinking firewall! Jay Hennigan (Jan 05)
- RE: I don't need no stinking firewall! Jason Shearer (Jan 05)
- Re: I don't need no stinking firewall! Jay Hennigan (Jan 05)
- Re: I don't need no stinking firewall! Henry Yen (Jan 05)
- Re: I don't need no stinking firewall! Peter Hicks (Jan 05)
- Re: I don't need no stinking firewall! Brielle Bruns (Jan 05)
- Re: I don't need no stinking firewall! Tony Finch (Jan 05)