Erik,
<..snip..>
If you have a firewall product that tracks continuous session
information like Sequence numbers, on a heavily loaded FW doesn't
the
synchronization of the session table to the standby machine cause
considerable performance issues?
<..snip..>
First... If you have a heavily loaded firewall its time to upgrade or
do some bandwidth management on your network to make the firewall
less heavy loaded.
<..snip..>
That is, tracking every state of every
packet for 200,000 sessions and pushing it to a standby machine and
expecting it flawlessly transition during a failover seems a bit
overwhelming for a FW to handle.
<..snip..>
Firewall 1 doesnt sync state with every packet... You set up a tcp (or
udp)
connection from one point to the other. This connection (source
ip + source port <-> destination ip + destination port) is entered
into the "state tabel" of firewall... all the packets in "this" connection
doesnt need to be keep stated because its already in the "state table"
and doesnt need to be synchronised with the other member.
The firewall needs to see that there is a FIN or RST packet that ends
the session and the session is then out of the "state table" of firewall 1.
This is then also synchronised with the other cluster members.
Basically what needs to be synchronised is new established connections
and ended synchronisations... current synchronisations are still there
so they dont need to be removed from the "state table".
<..snip..>
Also, if the HA solution does keep state, but not of the sequence
numbers, isn't the risk of session hijacking greater?
<..snip..>
If a firewall keeps state on sequence numbers you can still hijack
a connection. Most of the established connections the sequence
number will be +1 of the previous sessions (if I have understand this
correctly). So, in theory, you can hijack every session.
The point is when you want to hijack a starting session you need
to guess the beginning sequence number... Thats why you need
fully random sequence numbers in your OS to prevent sequence
numbers guessing and therefor also session hijacking
But this is what I think about it... maybe someone can shed a light
on the whole session hijacking and sequence numbers subject.
<..snip..>
Are there any FWs out there that can keep session and track Sequence
and
securely transition?
<..snip..>
As far as I know, IPFilter, PF and netfilter / iptables can handle the
sequence number tracking. I know that Checkpoint firewall 1 doesnt
keep state on sequence numbers. So in theory you could inject,
on established connections, fake ACK packets with a totally different
sequence number and have it accepted by the firewall. Of course the
source IP address + port and destination IP address+ port need to be
in the "state table" of FW1.
I hope you now know a little bit more... Pretty interesting subject
if you think about it....
And I hope I am not talking BS either :o)
Regards,
Brenno
> -----Original Message-----
> From: [EMAIL PROTECTED] [SMTP:[EMAIL PROTECTED]]
> Sent: vrijdag 1 februari 2002 16:16
> To: [EMAIL PROTECTED]
> Subject: RE: Statefull failover in High Availabilty /clustering
> firewalls
>
> I, too, have been curious about this aspect of HA.
>
> considerable performance issues? That is, tracking every state of every
> packet for 200,000 sessions and pushing it to a standby machine and
> expecting it flawlessly transition during a failover seems a bit
> overwhelming for a FW to handle.
> It also seems that during a failure, it is possible that packets could
> get lost in the firewall and the synchro of the session couldn't occur
> properly anyway.
> Also, if the HA solution does keep state, but not of the sequence
> numbers, isn't the risk of session hijacking greater?
>
> Are there any FWs out there that can keep session and track Sequence and
> securely transition?
>
> erik
>
>
>
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]] On Behalf Of Hiemstra, Brenno
> Sent: Friday, February 01, 2002 4:04 AM
> To: 'Don Ng'; [EMAIL PROTECTED]
> Subject: RE: Statefull failover in High Availabilty /clustering
> firewalls
>
>
> Don...
>
> <..snip..>
> 1.0 From a security viewpoint would stateful failover of
> firewalls
> be a plus or minus.
> <..snip..>
>
> Checkpoint firewalls do state synchronisation between the firewall
> cluster
> nodes.
> If one of the cluster members goes down then the other firewall(s) take
> over
> the
> communication. There is no reason you need to re-establish the
> connection
> again.
> If state synching works like it does the connection shouldnt be dropped.
>
>
> Checkpoint also have statefull inspection (lets not discuss its REAL
> statefull inspection).
> Which means that is the firewall didnt receive a SYN packet for a TCP
> session and
> you send an SYN/ACK or ACK packet the firewall will drop it as an
> "Unestablished TCP
> packet". Checkpoint doesnt keep state on the sequence numbers... but
> only IP
> addresses arent enough to get in the state table of Firewall 1.
>
> You can also look at Stonebeat as an addition to your Checkpoint
> firewall 1
> cluster.
> Stonebeat adds load balancing and load sharing between all the nodes.
> Which
> you
> can also run your firewall cluster in an Active - Active setup.
>
> <..snip..>
> 2.0 Is it that difficult to ensure that the DB be consistent
> without
> depending on external devices, I mean this would involve
> greater resources on commits, precommits etc.
> <..snip..>
>
> WHAT ????
>
> <..snip..>
> 3.0 What is the probability of an attacker being able to trigger a
> stateful
> failover and taking advantages of this.
> <..snip..>
>
> The only thing an attacker gains with it that communication with your,
> for
> example, DMZ is disturbed.
> There shouldnt be a possible to bypass or inject a communication...
> otherwise this would be a
> serious sec hole in the checkpoint firewall 1 product.
>
> Good luck !
>
> Regards,
>
>
> Brenno
>
>
> > -----Original Message-----
> > From: Don Ng [SMTP:[EMAIL PROTECTED]]
> > Sent: donderdag 31 januari 2002 14:29
> > To: [EMAIL PROTECTED]
> > Subject: Statefull failover in High Availabilty /clustering
> firewalls
> >
> > Hi all, Checkpoint firewalls have intrinsic load balancing
> capabilities,
> > and they have stateful failovers between the active and standby
> firewalls.
> > Meaning in this case there would be no need for the client to re
> > establish the connection via the 3 way handshake.
> >
> > So when packets arrive at the firewall with non expected sequence
> > numbers, they are still let through as long as the ip address are ok?
> > <no hands on on checkpoint, based on literature>
> >
> > I have come across clients that state their primary worries was the
> > integrity of the databases in
> > opting for this solution. As they fear a situation in where a firewall
> > goes down and a transaction is lost,
> > especially for financial transactions.
> >
> > My question is.
> > 1.0 From a security viewpoint would stateful failover of firewalls be
> a
> > plus or minus.
> > 2.0 Is it that difficult to ensure that the DB be consistent without
> > depending on external devices, I mean this would involve
> > greater resources on commits, precommits etc.
> > 3.0 What is the probability of an attacker being able to trigger a
> > stateful failover and taking advantages of this.
> >
> > Nothing too heated please.
> >
> > Thanks and regards
> > Don Ng
> _______________________________________________
> Firewalls mailing list
> [EMAIL PROTECTED]
> http://lists.gnac.net/mailman/listinfo/firewalls
>
> _______________________________________________
> Firewalls mailing list
> [EMAIL PROTECTED]
> http://lists.gnac.net/mailman/listinfo/firewalls
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls
