On Thu, Oct 19, 2000, Gilad Ben-Yossef wrote about "Re: firewall":
> One thing not commonly mentioned in regard to "stateful inspection" is
> the risk it *introduces* to your setting.
> Consider the following obvious fact: for statefull inspection the
> firewall is required to keep state for any entity it tracks, such as
> open connections.
>
> A possible attack is then to open as many connection as you can in a
> short time to force that connection table to fill up. This is not (any
> more) an academic discussions - SYN attacks, which are basically based
> on the same principle (but happening at the bastion server, not the
> firewall) is what caused in the last year major players like Yahoo and
> eBay to fall down. Using a "stateful inspection" firewall introduces yet
> another point of failure to your setup.
>..
This is a good point, but I think it's not much of a problem usually,
because of two reasons:
1) In a home network, or even office network: In this case, the main concern
is to prevent cracking into your system, and prevent remote-control trojans
inside your system from working even if the got inside (e.g., someone clicked
on that "VBS" attachment). Most people would not really care to protect
their system against DoS attacks.
2) Correct me if I'm wrong, but I don't see much point in doing stateful
inspection on a *LISTENING* port. I mean, if you have an http server
listening on port 80, then what would you gain by trying to follow the
incoming sessions in the firewall? Are you interested in catching non-SYN
segments of a non-existant connection and not return an RST? Why? Or
are you trying to prevent weird "replies" to hosts that never asked a
question? Why? (if this is to prevent trojans from connecting out, they have
other ways to communicate out, usually... you can also prevent outgoing SYNs)
So the firewall should not be doing stateful inspection or session checking
or whatever you all it on packets coming to port 80, so I don't see how
it can be overloaded.
I see the importance of stateful inspection in the other direction: i.e.,
a user from inside the firewall makes a connection, and we want to allow
packets to return to him, but only from the one machine he's connected to -
we don't want to open up everything from every machine just to allow this
connection. I don't see how a DoS attack can be done remotely in such a
case.
--
Nadav Har'El | Thursday, Oct 19 2000, 20 Tishri 5761
[EMAIL PROTECTED] |-----------------------------------------
Phone: +972-53-245868, ICQ 13349191 |I'm a peripheral visionary: I see into
http://nadav.harel.org.il |the future, but mostly off to the sides.
=================================================================
To unsubscribe, send mail to [EMAIL PROTECTED] with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail [EMAIL PROTECTED]
