|
Security Basics
statefull inspection FW and hackers Aug 20 2008 05:04AM Juan B (juanbabi yahoo com) (4 replies) Re: statefull inspection FW and hackers Aug 20 2008 06:02PM Andrea Gatta (andrea gatta gmail com) (1 replies) RE: statefull inspection FW and hackers Aug 20 2008 05:15PM David Gillett (gillettdavid fhda edu) (1 replies) Re: statefull inspection FW and hackers Aug 20 2008 10:07PM Andrea Gatta (andrea gatta gmail com) (1 replies) |
|
 Privacy Statement |
Stateful inspection can be best understood with security zones/level.
By default, most of the firewall dont allow anything to come from low
security zone to high (ie lets say from internet to internal
resources). This would mean that if internal user accesses internet
his response will be blocked. This is not desirable because we donot
want to keep on opening hole from internet to internal host on the
firewall. We need some mechanism to allow this response/reply back to
the internal user.SPI helps us to achieve it !
As mentioned in the thread and also to keep it simple, SPI maintains a
state table of requests and opens the incoming requests for that
connection !Rest all the requests from low security zone to high are
denied (if not explicitly allowed)
Thanks,
Aditya Govind Mukadam
On Thu, Aug 21, 2008 at 3:37 AM, Andrea Gatta <andrea.gatta (at) gmail (dot) com [email concealed]> wrote:
> David,
> depending on the target OS, a FIN scan can reveal open ports.
> Basically an unsolliceted FIN packet will be:
>
> - ignored on an open port (RFC 793)
>
> - while on a closed port that will trigger a RST/ACK back
>
> In turn that will give to the attacker a way to understand what ports
> are actually available on the target.
>
> Things is, a FIN scan is not likelly to be seen and logged by a
> firewall which si not stateful.
>
> Andrea
>
> On Wed, Aug 20, 2008 at 6:15 PM, David Gillett <gillettdavid (at) fhda (dot) edu [email concealed]> wrote:
>> Statefulness doesn't help with SYN port scans -- that much is correct.
>>
>> However, some attacks may depend on violating the normal state transitions
>> or sequencing of TCP traffic, or on scanning with other sorts of packets --
>> I see unsolicited SYN-ACK packets all the time. (Those are probably just
>> responses to spoofed SYNs, but I can't know that for certain. I'm not sure
>> what a scan with RST or FIN packets would reveal.)
>>
>> Most of the stateful firewalls I've seen also do inspection of FTP control
>>
>> traffic, so that FTP data sessions on negotiated ports can be allowed
>> without
>> leaving masses of high-numbered ports open all the time. An awful lot of
>> junk/noise can be filtered out by that.
>>
>> David Gillett
>>
>>
>>> -----Original Message-----
>>> From: listbounce (at) securityfocus (dot) com [email concealed]
>>> [mailto:listbounce (at) securityfocus (dot) com [email concealed]] On Behalf Of Juan B
>>> Sent: Tuesday, August 19, 2008 10:05 PM
>>> To: security basics
>>> Subject: statefull inspection FW and hackers
>>>
>>>
>>>
>>> Hi,
>>>
>>> Can someone please explain why statefull inspection Fw helps
>>> against hackers? I know that those FW keep track of the
>>> sessions but I dont understand how the feature might help
>>> against a port scan from the internet or other ways to
>>> mitigate hackers attacks.
>>>
>>> Thanks
>>>
>>> Juan
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>
>>
>
[ reply ]