Poking the dragon a bit, aren't you? Fun. If you really look at it, there is no quantitative difference between statefull and non-statefull. A non-stateful firewall can prevent a TCP session from entering the SYN_RECEIVED state by blocking the SYN packet, so it strongly impacts session state without really trying. A statefull firewall will venture a bit deeper into the state diagram with a few more rules, but this is mostly a quantitative difference when viewed at a behavioral level (disregarding the internal implementation, of course). Coders and marketeers will burn me in effigy over this, but there's already a lot of people in that line... In the most general terms, a firewall attempts to permit desired traffic flows and block undesirable traffic flows. Statefull ones attempt to do so using knowledge of the protocols' state machines. The work performed by a statefull firewall must be done, either by the ultimate endpoints (your servers, etc) or by a central enforcement point (a firewall). In other words, desirable traffic (like spice) must flow, and undesirable traffic must not impede the former. The rationale for the existence of firewalls is that you can enforce the rules of the protocols more cheaply if you move some of the enforcement into a specialized device (a statefull firewall). If you care to engineer every end node such that they can enforce the protocols' state machines in every case at every possible traffic level, you have no need for firewalls at all. At the current triple-point of threat, product, and protocol, separation of function is currently a useful method, nothing more. David On Tue, Jan 5, 2010 at 12:16 PM, Brian Johnson <bjohnson@drtel.com> wrote:
Security Gurus, et al,
I have my own idea of what a firewall is and what it does. I also understand what statefull packet inspection is and what it does. Given this information, and not prejudging any responses, exactly what is a firewall for and when is statefull inspection useful?
Please respond on-list as I want to have some useful discourse and discussion in the clear. Flamers and Trolls will be disregarded. :)
Thank you.
- Brian
CONFIDENTIALITY NOTICE: This email message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, copying, use, disclosure, or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. Thank you.