RE: stateful inspection

Bill Royds Tue, 23 Jan 2001 19:53:34 -0800
Stateful Inspection watches the stream including some protocol monitoring and matching 
outgoing and incoming packets. But it doesn't re-create the stream like a full proxy 
does to allow full syntax checking.  It does a bit more that just maintain TCP state 
or match ports and IP IDs like a simple stateful filter (versus a stateless filter 
that does not match packets to a conversation).
There is a kind of hierarchy of firewalls
        NATting router          -       Modifies destination addresses for private 
networking
      Stateless Packet filter   -       Checks ports and flags on a packet by packet 
basis
        Statefull Packet filter -       Matches packets by sockets (in to out)
        Stateful Inspection     -       Watches the contents as well(doesn't change 
flags etc.)
        Application Proxy               -       Recreates contents of incoming to 
outgoing with 2 streams

As you go down you get a bit more safety but do more work so lose speed. Also not all 
application gateways really handle the TCP/IP stack hardening as well as packet 
filters do. All of them are tools that have place in perimeter defence but none is a 
magic bullet. FW-1 in the middle is very popular because it tends to balance speed and 
safety but I really wouldn't want to use it to protect too many desktops running 
Win95. 

-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Bernd Eckenfels
Sent: Tuesday, January 23, 2001 21:49
To: Ron DuFresne
Cc: Rohit Gupta; firewall list
Subject: Re: stateful inspection


On Tue, Jan 23, 2001 at 12:49:39PM -0600, Ron DuFresne wrote:
> To what degree though is the packet inspection?

You can script it. The degree is much lesser than checkpoint is claiming
(proofed by ICMP statelessness, by FTP Port Attacks and so on).

It is actually in the default scripots not very secure (remeber the
mime/outlook buffer overrun, of course not trapped by statefull inspection).
So the question is, if one needs more than just "peeking" into the
protocols. And if yes, if a transparent application proxy isnt the better
idea.

Greetings
Bernd
-- 
  (OO)      -- [EMAIL PROTECTED] --
 ( .. )  ecki@{inka.de,linux.de,debian.org} http://home.pages.de/~eckes/
  o--o     *plush*  2048/93600EFD  eckes@irc  +497257930613  BE5-RIPE
(O____O)  When cryptography is outlawed, bayl bhgynjf jvyy unir cevinpl!
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]

-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
RE: stateful inspection

Reply via email to
