[120860] in North American Network Operators' Group
Re: I don't need no stinking firewall!
daemon@ATHENA.MIT.EDU (Simon Lockhart)
Tue Jan 5 15:39:48 2010
Date: Tue, 5 Jan 2010 20:39:06 +0000
From: Simon Lockhart <simon@slimey.org>
To: Brian Johnson <bjohnson@drtel.com>
In-Reply-To: <29A54911243620478FF59F00EBB12F4701B27EDF@ex01.drtel.lan>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Tue Jan 05, 2010 at 02:16:58PM -0600, Brian Johnson wrote:
> I have my own idea of what a firewall is and what it does. I also
> understand what statefull packet inspection is and what it does. Given
> this information, and not prejudging any responses, exactly what is a
> firewall for and when is statefull inspection useful?
Not sure I'd call myself a security guru, but...
I'm not a great fan of packet filtering firewalls (as opposed to proxy based
or application layer firewalls).
Generally, I just use stateless ACLs when I need additional network level
security. However, they do have one big disadvantage. Say you've got a serv=
er
where you want to allow outbound HTTP access to anywhere on the Internet, b=
ut
only SSH inbound from your home DSL. To do this, you'd build an inbound ACL
which looks something like:
- Allow from home DSL IP to server port 22
- Allow from anywhere port 80 to server
- Deny all other traffic.
You need the port 80 rule to allow the return traffic from all those outbou=
nd
connections.
However, an enterprising hacker realises that he can create a TCP connection
=66rom port 80 on his own box to port 22 on your server.
Now, if you change from stateless to stateful ACLs, you add the intelligence
that whenever it sees an connection originating from your server to port 80
on the internet, it automatically adds a rule that allows traffic back from
the server you're talking to, but not anywhere else. Therefore, your=20
enterprising hacker can no longer connect in.
Of course, the other benefit that a stateful inspection firewall can do is=
=20
pattern matching on undesirable traffic based on signatures
Simon
--=20
Simon Lockhart | * Sun Server Colocation * ADSL * Domain Registration *
Director | * Domain & Web Hosting * Internet Consultancy *=20
Bogons Ltd | * http://www.bogons.net/ * Email: info@bogons.net *=20
