[120938] in North American Network Operators' Group

home help back first fref pref prev next nref lref last post

Re: I don't need no stinking firewall!

daemon@ATHENA.MIT.EDU (David Hiers)
Wed Jan 6 11:50:31 2010

In-Reply-To: <29A54911243620478FF59F00EBB12F4701B27EDF@ex01.drtel.lan>
Date: Wed, 6 Jan 2010 08:49:43 -0800
From: David Hiers <hiersd@gmail.com>
To: Brian Johnson <bjohnson@drtel.com>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org

Poking the dragon a bit, aren't you?  Fun.

If you really look at it, there is no quantitative difference between
statefull and non-statefull.  A non-stateful firewall can prevent a
TCP session from entering the SYN_RECEIVED state by blocking the SYN
packet, so it strongly impacts session state without really trying.  A
statefull firewall will venture a bit deeper into the state diagram
with a few more rules, but this is mostly a quantitative difference
when viewed at a behavioral level (disregarding the internal
implementation, of course).  Coders and marketeers will burn me in
effigy over this, but there's already a lot of people in that line...

In the most general terms, a firewall attempts to permit desired
traffic flows and block undesirable traffic flows.

Statefull ones attempt to do so using knowledge of the protocols'
state machines.

The work performed by a statefull firewall must be done, either  by
the ultimate endpoints (your servers, etc) or by a central enforcement
point (a firewall).  In other words, desirable traffic (like spice)
must flow, and undesirable traffic must not impede the former.

The rationale for the existence of firewalls is that you can enforce
the rules of the protocols more cheaply if you move some of the
enforcement into a specialized device (a statefull firewall).

If you care to engineer every end node such that they can enforce the
protocols' state machines in every case at every possible traffic
level, you have no need for firewalls at all.  At the current
triple-point of threat, product, and protocol, separation of function
is currently a useful method, nothing more.

David






On Tue, Jan 5, 2010 at 12:16 PM, Brian Johnson <bjohnson@drtel.com> wrote:
> Security Gurus, et al,
>
> I have my own idea of what a firewall is and what it does. I also
> understand what statefull packet inspection is and what it does. Given
> this information, and not prejudging any responses, exactly what is a
> firewall for and when is statefull inspection useful?
>
> Please respond on-list as I want to have some useful discourse and
> discussion in the clear. Flamers and Trolls will be disregarded. :)
>
> Thank you.
>
> =A0- Brian
>
>
> =A0CONFIDENTIALITY NOTICE: This email message, including any attachments,=
 is for the sole use of the
> intended recipient(s) and may contain confidential and privileged informa=
tion. Any unauthorized review,
> copying, use, disclosure, or distribution is prohibited. If you are not t=
he intended recipient, please
> contact the sender by reply e-mail and destroy all copies of the original=
 message. Thank you.
>
>


home help back first fref pref prev next nref lref last post