Date: Thu, 16 Aug 2001 14:09:00 -0700 From: "Crist J. Clark" <cristjc@earthlink.net> To: Dennis Jun <dennisjun@yahoo.com> Cc: freebsd-questions@FreeBSD.ORG Subject: Re: How do stateful firewalls help increase security? Message-ID: <20010816140900.H4232@blossom.cjclark.org> In-Reply-To: <20010816195750.15814.qmail@web11608.mail.yahoo.com>; from dennisjun@yahoo.com on Thu, Aug 16, 2001 at 12:57:50PM -0700 References: <20010816195750.15814.qmail@web11608.mail.yahoo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Aug 16, 2001 at 12:57:50PM -0700, Dennis Jun wrote: > A friend of mine asked me this today Huh, wha? Asked you what? Oh, the subject line? "How do stateful firewalls help increase security?" (The body of an email message should be self-contained.) > and I coudln't > give him a definite answer, even though I use stateful > firewalls. I was wondering if any gurus could enlighten > me. Thanx. The other option is a stateless packet filter. Stateless packet filters are much, much better than nothing, but they do have weaknesses. For TCP, you can prevent incoming connections from the outside world by blocking bare SYN-segments. This is the big plus of a stateless filter. However, you are wide open to a wide variety of scanning techniques like a simple ACK-scan. Anyone can map your internal network. Anyone can send anything onto your network _except_ bare SYN-segments. This can be troublesome. (Of course, you can cut off all TCP, but why not just pull the plug?) For UDP, you can cut which ports can come into the network. However, for protocols which use a ephemeral UDP port, you're in trouble since you need to open up the whole range for incoming UDP. There are other issues with ICMP and other protocols, but they are generally not as important. Often "stateful" firewalls only act as stateless filters for non-TCP or UDP packets (better ones do state on ICMP too). -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010816140900.H4232>