On Tue, Jan 5, 2010 at 3:16 PM, Brian Johnson <bjohn...@drtel.com> wrote: > I have my own idea of what a firewall is and what it does. I also > understand what statefull packet inspection is and what it does. Given > this information, and not prejudging any responses, exactly what is a > firewall for and when is statefull inspection useful?
A firewall is anything that examines IP packets in-line for the purpose of discarding undesirable packets before they can be interpreted by the transport layer protocol (e.g. TCP) on the endpoint computer. A firewall is usually a computer filling in the same slot as a router in a network topology capable of discarding packets before they can reach the endpoint computer at all. In some cases though, a firewall may be a separate piece of software on the same computer sending or receiving the packet. The purpose of the firewall is to permit the protected equipment to operate with a less thorough (hence less expensive) attention to the network security process. Can't really afford to have a dedicated network security guru for every dozen desktops playing big brother with what software the users are using so you focus your attention on the border instead. Stateful inspection is useful when you want the firewall to discard any packets which are not part of a communications session that the firewall understands and has approved. By contrast, packet filtering will only discard those packets explicitly deemed bad. At a practical level, the above distinction can be a noop. Internal machines are usually incapable of acting on packets the packet filter will unintentionally pass, such as IP fragments without the first fragment. Stateful address-overloaded NAT offers additional protection over stateful inspection alone in that the firewall naturally "fails closed." That is, a malfunctioning firewall will drop acceptable packets rather than allow bad ones. This is "defense in depth." An error in the filtering process still leaves the firewall with no idea which internal machine to transmit the errantly cleared packet to; that information was only available as part of the session state. By contrast, stateful, packet filtering and non-overloaded NAT firewalls are always able to send the packet to an internal machine once it passes the filtering rules. This last is part of what makes the little "DSL routers" such useful weapons in the network security professional's arsenal. Regards, Bill Herrin -- William D. Herrin ................ her...@dirtside.com b...@herrin.us 3005 Crane Dr. ...................... Web: <http://bill.herrin.us/> Falls Church, VA 22042-3004
