On the GNAC firewall list [EMAIL PROTECTED] wrote:
>At 05:44 PM 4/13/00 +0930, you wrote:
>
>>Strictly speaking, a stateful packet filter only keeps state (duh). This
>>means that an SPF is supposed to know everything about the TCP/IP rules
>>for the flow of data between the internal and external hosts.
>
>What then, is "state"? By your message, I don't see the difference between
>this and a "normal" packet filter.
A normal packet filter will allow an established TCP packet from
the bad outside to the feeble inside even if there never was a
connection opened from the inside.
I.E. on a non-stateful Cisco, neglecting antispoofing, in order
to permit only outgoing web and dns requests, you write:
inside -> outside
permit tcp any any eq 80
permit udp any any eq 53
outside -> inside
permit tcp any eq 80 any established
permit tcp any eq 53 any
This permits any outsider to forge incoming packets, using his
own IP, without the need to listen to your traffic. He can
send spoofed established packets to any machine that can do
outgoing http providing he sets his source port to 80, and he
can initiate an UDP conversation with any machine that can do
outbound DNS providing he sets his source port to 53.
First line of defense is to decree that services are located on
ports <1024 and requests should come from >=1024. That actually
helps a lot. It still has gaping holes, of course.
On a stateful filtering device such as a Cisco IOS with stateful
filtering, a PIX, an ipfilter, etc., you are able to completely
squeeze the second access list (you may have to specify in the
first list that return communications are accepted, but that's
minor).
Not only the filter lists are easier to read, but people who
are not contacted by you cannot initatiate communications
with you by pretending to be part of an already established
communication, because the filtering device keeps a constantly
updated list (state) about who is talking to whom.
Hope I was clear enough, HTH.
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
