Nadav Har'El wrote:
>
> On Thu, Oct 19, 2000, Shachar Shemesh wrote about "Re: firewall":
> > Duplicating exactly the FW-1 functionality in an opensource project is not
> > practical, due to a patent on stateful inspection. This gives the FW-1 product
> > the ability to open specific ports that would normally be blocked, because, for
> > example, an FTP protocol request required that port. If you wanted to support the
> > same protocol with a static packet filtering firewall (such as IPChains), either
> > this, or probably a lot more, ports would have to be permanently open. To the
> >..
One thing not commonly mentioned in regard to "stateful inspection" is
the risk it *introduces* to your setting.
Consider the following obvious fact: for statefull inspection the
firewall is required to keep state for any entity it tracks, such as
open connections.
A possible attack is then to open as many connection as you can in a
short time to force that connection table to fill up. This is not (any
more) an academic discussions - SYN attacks, which are basically based
on the same principle (but happening at the bastion server, not the
firewall) is what caused in the last year major players like Yahoo and
eBay to fall down. Using a "stateful inspection" firewall introduces yet
another point of failure to your setup.
Of course, since a firewall, by definition, is a "bump on the network",
it's a point that's even better to exploit then a specific bastion
server, because it takes down the entire network.
Now of course firewalls are designed with such things in mind (at least
FW-1 does). So for example, they used short timers to throw out stale
connections, but because of the way TCP/IP is built, there is a limit to
how good you can make this behave without starting to throw out real
slow connections, especially taking into account TCP's known "slow
start" feature.
So what's the conclusion? don't use stateful inspection? no. Just that a
firewall, like any other security feature is not a magic word. You need
to consider when and how to use it and which one to choose based on the
situation at hand and not "brand name". The fact that product X is
buzzword complaint does not make it, necessarily, what you need.
OK, I'll step of my soap box now... ;-)
Gilad.
--
Gilad Ben-Yossef <[EMAIL PROTECTED]>
http://kagoor.com :: +972(54)756701
"Money is the root of all evils. Send $20 for more info..."
=================================================================
To unsubscribe, send mail to [EMAIL PROTECTED] with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail [EMAIL PROTECTED]
