[EMAIL PROTECTED] wrote:
>
> My point was that you can "imitate" a stateful filter by specifying
> flags. Stateful filtering right in the code makes life a bit easier.
> Instead of specifying answers to former connections, you can just
> specify that the ACK bit is set. And voila, you've got a "stateful"
> firewall.
Not exactly. What if I generate a ACK-FIN (a la nmap) from outside the
firewall headed to an internal host? In your description, this would be
let through. With a true stateful firewall, there will be no state entry
match so the packet will get dropped.
Also, what about UDP, ICMP, etc. that do not have flag fields to work
with?
> Again, I'm not too clear on session hijacking, but from all the
> theories behind it, I'd say not. All you're doing is sending a few
> messages to redirect the source or dest IP (whichever you're taking
> over).
Goes back to the above. If your stateful, the traffic may never make it
through and the hijack can not take place (assuming all hosts are behind
the firewall). If you are not stateful, it may be possible to work this
on a UDP level. Depends on the config and the rules which are in place.
HTH,
Chris
--
**************************************
[EMAIL PROTECTED]
* Mastering Cisco Routers
http://www.amazon.com/exec/obidos/ASIN/078212643X/
* Mastering Network Security
http://www.amazon.com/exec/obidos/ASIN/0782123430/
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
