Re: Firewalls that generate new packets..

["Paul Melson" <pmelson () gmail com>]

On Nov 13, 2007 10:58 PM, Kelly Robinson <caliana1989 () gmail com> wrote:
> Some firewalls, after receiving a packet, generate a new packet and populate
> it with data from the original, rather than forwarding the same packet that
> was received. What are the advantages and disadvantages of this approach?
> And does anyone have any examples of any firewalls that do this on the
> market?


Your first statement is a bit ambiguous.  Are you talking specifically
about IP reassembly?  Because in a sense, any packet that has
undergone NAT translation is a "new" packet because it has changed
(albeit just 2-3 fields of the IP header) from the time it arrived to
the time it was forwarded on.

So the upside to firewalls that do IP reassembly (like iptables, pf,
and most of the commercial "stateful firewall" products) as well as
proxy firewalls is that they serve to normalize traffic to one degree
or another.  They reduce the amount of control an external attacker
has over the packets that are passed to your network through the
firewall.

The downside is that this can break crappy protocols (or even normal
protocols in the case of a misconfigured firewall).

PaulM
_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards