On Thu, 13 Apr 2000 [EMAIL PROTECTED] wrote:
> "Luff, Darryl" <[EMAIL PROTECTED]> wrote:
> >
> > A packet filter only works on port numbers. If you allow connections
> > on port
> > 80 through the firewall to your web server, the firewall will only
> > check the
> > source and destination IP addresses and port numbers, and allow the
> > packet
> > through. So if the packets have been intentionally fiddled with in
> > some way
> > the 'fiddled' packet will get to the server.
>
> Wrong. Please read Aza's question more carefully. He asked about
> "stateful" packet filters. They are much more powerful than regular
> filters in they *do* look at packet contents as well as packet flags,
Um, no- stateful packet filters look at the state of a connection, while
it's true that some commercial brands of stateful filters look at some
parts of some payloads for some subset of protocols, payload inspection
isn't part of the definition of "stateful filter", which is why for
instance Checkpoint calls its technology "stateful inspection."
Statefulness provides packet filters with the oppertunity to have some of
the same properties for connections that application layer gateways have
by design.
When the MSG_OOB bug hit, not a single packet filter, _stateful or not_
provided full protection from the bug simply because nobody had exploited
that particular vector before and the real live packets with the exception
of some NAT configurations touching the IP address were happily moved from
one interface to another as long as the state information for the state
engine said it was a valid connection. Now that everyone knows OOB data
can be bad, the stateful filters still either allow or strip the option,
they don't look at say FTP and see if an OOB packet is valid for the
current state of the client/server relationship.
How much inspection and its inconsistancy over mulitiple protocols are one
of the things that have always set poorly with me when it comes to some
companies marketing vs reality engines.
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
[EMAIL PROTECTED] which may have no basis whatsoever in fact."
PSB#9280
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
