> There have been a few postings recently about Netfilter's ability to do > proper stateful inspection, and whether the connection tracking table etc is > sufficient. > > I'm interested to know what people actually regard as 'proper stateful > inspection' in a firewall. > > Can anyone point me at a URL etc which they think has a clear and accurate > definition of what 'stateful inspection' means, and what a firewall needs to > do to qualify for this name ?
I haven't been able to find a "clear" definition of what statefull inspection means, let alone "proper". Varies by vendor I suppose. The general consensus seems to be that any firewall that keeps session information in a table and allows or denies access based on the session state table is doing statefull inspection. AFAICT, the first commercially available firewall with statefull inspection capabilities was Firewall-1 in 1994. In fact, they seem to have coined the term although I haven't been able to verify that. There have been some recent discussions on this list about the use of sequence numbers by the firewall to thwart session hijacking. IMHO, they aren't required for a firewall to be considered statefull. Here is a quote from Cisco regarding the PIX (which apparently does use sequence numbers in the state table): "For security, the ASA takes the source and destination addresses and ports, TCP sequence numbers, and additional TCP flags and hashes the IP header information. The hashing acts like a fingerprint--it creates a code that uniquely identifies the client initiating the inbound or outbound connection. In order for hackers to penetrate the firewall to an end client, they would have to obtain not only the IP address, but also the port number and the TCP sequence numbers and additional IP flags. This scenario is very unlikely because Cisco's PIX Firewall series randomizes the TCP sequencing numbers for each session. Lastly, the connection object is terminated when the session is over." Admittedly, this is getting a little over my head but apparently in the case of PIX anyway, the TCP sequence numbers are really only used to provide TCP sequencing "randomness" where none or little is present. It's a good thing, but I was under the impression that most modern TCP/IP stacks already did this. Cisco at least, is under the impression that "most TCP/IP implementations use a simple additive algorithm for incrementing sequence numbers, making it a trivial matter to...guess...". Hmmm...nmap OS fingerprinting [on my boxes anyway] suggests otherwise but YMMV. It certainly not a useless thing though. Matt
