On Tue Jan 05, 2010 at 02:16:58PM -0600, Brian Johnson wrote:
I have my own idea of what a firewall is and what it does. I also understand what statefull packet inspection is and what it does. Given this information, and not prejudging any responses, exactly what is a firewall for and when is statefull inspection useful?
Not sure I'd call myself a security guru, but... I'm not a great fan of packet filtering firewalls (as opposed to proxy based or application layer firewalls). Generally, I just use stateless ACLs when I need additional network level security. However, they do have one big disadvantage. Say you've got a server where you want to allow outbound HTTP access to anywhere on the Internet, but only SSH inbound from your home DSL. To do this, you'd build an inbound ACL which looks something like: - Allow from home DSL IP to server port 22 - Allow from anywhere port 80 to server - Deny all other traffic. You need the port 80 rule to allow the return traffic from all those outbound connections. However, an enterprising hacker realises that he can create a TCP connection from port 80 on his own box to port 22 on your server. Now, if you change from stateless to stateful ACLs, you add the intelligence that whenever it sees an connection originating from your server to port 80 on the internet, it automatically adds a rule that allows traffic back from the server you're talking to, but not anywhere else. Therefore, your enterprising hacker can no longer connect in. Of course, the other benefit that a stateful inspection firewall can do is pattern matching on undesirable traffic based on signatures Simon -- Simon Lockhart | * Sun Server Colocation * ADSL * Domain Registration * Director | * Domain & Web Hosting * Internet Consultancy * Bogons Ltd | * http://www.bogons.net/ * Email: info@bogons.net *