Firewall Wizards mailing list archives
Re: FW and TCP Sessions
From: "Marcus J. Ranum" <mjr () ranum com>
Date: Tue, 01 Jun 2004 09:22:31 -0400
Manoj Kumar Neelapareddy wrote:
if a FW is said to be a stateful firewall, then will it allow a TCP packet to pass through it(outbound), if i haven't sent a TCP SYN to initiate a TCP Session before sending this TCP packet?
Manoj, "stateful" is a marketing term, invented by marketers, and means whatever it means - there's no shared understanding of what a "stateful" firewall is or does except that "everyone knows that it's better than just 'packet filtering'" "Packet filtering" firewalls are ones that process traffic using header information only, without carrying forward any context or "state". Note that the "state" that is carried by TCP itself is almost entirely in the sequence number and the SYN/ACK flags in the packet. So a "stateful" firewall *might* do: - SYN checking - TCP sequence checking - firewall-specific internal state tracking; i.e.: remembering which interface the SYN packet came in on - layer 7 protocol positioning As far as I have ever been able to tell, the first "stateful" firewalls were hardly more "stateful" than flagging the interface the SYN packet came in on, and snagging bits of layer 7 protocol (without addressing fragmentation!) for some app protocols like FTP. In every possible sense of the term, proxy firewalls are "stateful" since they typically are doing TCP and application termination and that requires doing all the things a stack would. How "stateful" became equated with "good" when it's actually a *subset* of what a good firewall does is a tribute to marketing genius and the customers' desires to make themselves comfortable with marginal but attractive technology. New generation "stateful" firewalls aren't bad at all and many are doing a lot of layer 7 work and nearly all of TCP processing. I am largely critical of the early "stateful" firewalls that were little more than a pimped-up screening router that cost 10X as much. Nowadays "stateful" firewalls are excellent products that are almost as good as dumbed-down proxy firewalls.
I heard that Statefull firewall won't allow any TCP packets, other than TCP SYNs to pass through it, if there is no session corresponding a TCP packet is maintained in FW's session table.
Pretty much, that's it! That's actually a second generation "stateful" firewall. 1st generation just kept a state table about what interface the SYN came in on. 2nd generation ones were "smart" enough to do some TCP sequence-tracking. Depending on the firewall, it's an open question what the firewall does when it encounters a packet that appears to be part of a TCP which it has not seen the beginning of. Some products are permissive for a while after they are rebooted and will accept the traffic. This is a thorny problem and equates to an acceptance of vulnerability that I'm not comfortable with. mjr. _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- FW and TCP Sessions Manoj Kumar Neelapareddy (Jun 01)
- Re: FW and TCP Sessions backup (Jun 01)
- Re: FW and TCP Sessions cs 2004 (Jun 01)
- Re: FW and TCP Sessions Henning Brauer (Jun 01)
- Re: FW and TCP Sessions Marcus J. Ranum (Jun 01)
- <Possible follow-ups>
- Re: FW and TCP Sessions firewalladmin (Jun 01)