Sorry, my ride was waiting and I rushed, I should have added that
'statefull' inspection means that it tracks active connections so it can
tell if a packet is part of an authorised connection or not, rather that
just letting all matching packets through. Packet filters still don't
regenerate packets, once the packet passes the filter it is allowed through
to the destination. The state that is kept is IP/TCP/UDP level stuff though,
not application level, so it's pretty basic.
If you wanted to allow connectivity from a client to a mail server, you'd
setup the rules to generate this behavior from the three types of firewall:
Straight Packet filter:
- If the source is the client, the destination is the server and the
destination port is SMTP, allow the packet
- If the source is the server, the source port is SMTP, the destination is
the client, and it isn't a SYN packet, allow the packet
So the client can send any packet to the server on the SMTP port, and the
server can send any packet but a SYN packet to the client on the SMTP port
Stateful packet filter:
- If the packet belongs to an active connection in the state table, allow
the packet
- Otherwise, if the source is the client, the destination is the server and
the destination port is SMTP, allow the packet and add the connection to the
state table
- When the connection is closed, or times out, remove the connection from
the state table
So the client can initiate connections to the server on the SMTP port. Once
the client has opened a connection, the server can send packets back to the
client as part of this conversation. Once the client closes the connection,
the server can't send packets anymore until the client opens another
connection. Hopefully the firewall would check sequence numbers etc to
ensure packets are actually part of the connection, although I don't think
they all do.
Proxy:
- When a new connection comes from the client to the server on the SMTP
port, accept the connection at the firewall and setup a second connection
between the firewall and the server
- Relay commands and responses between the client and server (hopefully
checking the application contents in the process to ensure they are valid).
The content can be checked for compliance with specs, virus scanned, or
whatever else you want
- When the client closes the connection, close the second (server)
connection
So there are two separate connections, one between the client and the
firewall, and one between the firewall and the server, and the firewall can
filter, viruscheck, or whatever else it wants to do on the application
content as it passes through. The client thinks it's talking to the server,
but none of the clients IP packets ever really get to the server.
So 'Stateful' packet filters should be more secure than straight packet
filters, and proxy servers should be more secure than stateful packet
filters, assuming they're implemented and configured properly. The main
trouble seems to be that what it says on the brochure, and how they actually
work, may not be the same thing.
Darryl.
> -----Original Message-----
> From: [EMAIL PROTECTED] [SMTP:[EMAIL PROTECTED]]
> Sent: Thursday, April 13, 2000 5:46 PM
> To: [EMAIL PROTECTED]
> Cc: [EMAIL PROTECTED]
> Subject: RE: Packet Filtering vs. Proxy
>
> "Luff, Darryl" <[EMAIL PROTECTED]> wrote:
> >
> > A packet filter only works on port numbers. If you allow connections
> > on port
> > 80 through the firewall to your web server, the firewall will only
> > check the
> > source and destination IP addresses and port numbers, and allow the
> > packet
> > through. So if the packets have been intentionally fiddled with in
> > some way
> > the 'fiddled' packet will get to the server.
>
> Wrong. Please read Aza's question more carefully. He asked about
> "stateful" packet filters. They are much more powerful than regular
> filters in they *do* look at packet contents as well as packet flags,
> etc. I have left the relevant portion of Aza's message intact below
> from your quotation of his message.
>
> > > -----Original Message-----
> > > From: Aza Goudriaan [SMTP:[EMAIL PROTECTED]]
> > > Sent: Thursday, April 13, 2000 5:01 PM
> > > To: [EMAIL PROTECTED]
> > > Subject: Packet Filtering vs. Proxy
> > >
>
> [ snip ]
>
> > > 1. When reading abount packet filtering and proxies, everybody says
> > that a
> > > proxy gives more security than (stateful) packet filtering. Can you
> > > explain
> > > why?
>
>
>
>
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
