> -----Original Message----- > From: jmfreemaat_private [mailto:jmfreemaat_private] > Sent: Tuesday, 8 February 2000 7:27 PM > To: firewall-wizardsat_private > Subject: Term Explanation > > > I've been seeing a lot of information of various firewall > products, and require > a bit of help from the people that know. Can someone give me a brief > explanation of the following: No. Well, not brief, anyway. > > dynamic packet filtering OK. You know what packet filtering is, right? Well, if you just write down a heap of filtering rules and stick them in a router, they won't ever change - they're _static_. As one might assume, _dynamic_ packet filters change. Dynamically. Exactly how they change is implementation dependant, but you could reasonably use this term any time you have a set of filtering rules that changes in a reactive manner. One example: a host on the inside of the network sends a UDP packet out to a remote host on port 53 - looks like DNS. I don't normally allow UDP in from the outside because it's too hard to track, but in this case, I'll open a teeny hole in my firewall FROM the remote host FROM port 53 TO the host that asked for it TO the port they asked for it from. I'll keep it open for about a minute and then slam it shut again. > stateful inspection Ask Checkpoint. Oh wait, don't ask them - ask someone with a _good_ implementation. ;) (Go on...flame me. I dare you....) This is complicated. To understand the concept, however, this may serve. TCP has fairly strict rules about what goes on in a conversation. There are handshakes. There are sequence numbers. There are windows. A SYN needs to come before a SYN/ACK and PSH comes after them, and lord help us if we get a weird SYN/ACK/URG when the state machine is in FIN_WAIT_2 - we might have to RST etc etc etc. Basically it's tricky. There are lots of TCP attacks based on how tricky it is where hackers try to break the rules in such a way that the end systems get all confused and the hackers win and eat our data. To save poor little Windows '95 boxes all the trouble of having a well-coded TCP stack, a stateful inspection box will check all the conversations passing through it and make sure that everyone is following the rules. It's a lot harder for hackers to bust stuff if they have to follow _all_ the rules instead of just some of them. And this is different to dynamic packet filtering how? One (dynamic filtering) adapts what is allowed and what isn't based on things that happen. The other (stateful packet filter) is essentially a traffic cop that makes sure that the traffic we have decided to allow is all nice and legal. They are complementary tech - a merits argument between them would be silly. Hopefully this helps a bit. Cheers, -- Ben Nagy Network Consultant, CPM&S Group of Companies PGP Key ID: 0x1A86E304 Mobile: +61 414 411 520
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:03:07 PDT