Firewall Wizards mailing list archives

RE: FW Sequence Number based statefulness

From: Peter Crocker <pcrocker () netscreen com>
Date: Mon, 14 May 2001 14:18:04 -0700

Nimesh,

TCP sequence checking monitors and validates the serialization of bytes.
Sequence checking involves continuous learning and remembering the (trusted
client) TCP byte sequence counter, and validating the receipt (untrusted
server) acknowledgements. It verifies the untrusted acknowledgement number
is in the range of the trusted sequence number and window. (The window may
use an appropriately selected fixed value, say 32 or 64K, rather than
strictly monitoring the window. The implementation may also verify trusted
acknowledgement number against the untrusted sequence number, but this may
not be necessary.) If the packets received by the firewall have TCP sequence
numbers outside of the window for the given session, the packet is typically
dropped.

Regards,
Peter


-----Original Message-----
From: Nimesh vakharia [mailto:nvakhari () clio rad sunysb edu]
Sent: Monday, May 14, 2001 10:02 PM
To: Peter Crocker
Cc: 'Carson Gaspar'; firewall-wizards () nfr com
Subject: RE: [fw-wiz] FW Sequence Number based statefulness



Thanks, but the white paper is not clear how it maintains state using
sequence numbers? What does the firewall do in case it sees an out of
sequence packet(s)?

Nimesh.

On Mon, 14 May 2001, Peter Crocker wrote:

You should expect this from any firewall product that does stateful
inspection of packets. You should also expect a lot more than just

sequence

number checking. For example, here is how NetScreen implements stateful
inspection:

http://www.netscreen.com/products/firewall_wpaper.html

Regards,
Peter


-----Original Message-----
From: Carson Gaspar [mailto:carson () taltos org]
Sent: Sunday, May 13, 2001 12:08 AM
To: Nimesh vakharia; firewall-wizards () nfr com
Subject: Re: [fw-wiz] FW Sequence Number based statefulness




--On Thursday, May 10, 2001 9:16 PM -0400 Nimesh vakharia 
<nvakhari () clio rad sunysb edu> wrote:


Are there any firewalls out there that maintain state using sequence
numbers in addition to port/IP etc..?


Darren Reed's free ipfilter does. I'm fairly sure the PIX does (since it 
can re-write sequence numbers), but I can't be certain (love that Cisco 
documentation...).

-- 
Carson




_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards

Current thread:

RE: FW Sequence Number based statefulness Peter Crocker (May 16)
- RE: FW Sequence Number based statefulness Nimesh vakharia (May 16)
- RE: FW Sequence Number based statefulness Carson Gaspar (May 16)
- RE: FW Sequence Number based statefulness Ofir Arkin (May 16)
- <Possible follow-ups>
- RE: FW Sequence Number based statefulness Nimesh vakharia (May 16)