On 16 Oct 2002, Frank Knobbe wrote: > Not for inbound connections, but doesn't a stateful firewall prevent > non-legit outbound connections? If the firewall protecting a web server Not really... > were stateless (read packet filter), the web server could establish > connections to the outside with a source port of 80, and a backdoor > would be able to connect to its master. However, if state is kept, and > only inbound connections to port 80 are allowed, then the backdoor can > not establish a connection to the outside using source port 80. Outbound non-ack packets would stop this for a Web server, and if the trojan is able to bind() to port 80 and service inbound requests (not that it's not possible) without fooling the HTTP daemon, then methinks filtering is the least of your problems. > To me it seems that stateless access control only protects my side from > incoming traffic, but I also want to enforce access control on outbound > traffic. In order to distinquish between a valid response, and a new > connection, isn't state helpful? It can be, but potentially it can be a problem too- state tables can fill up, where a stateless filter doesn't have that issue. > I understand that I could filter any packets from the web server (in > above example) by denying packets with SYN flag set, so maybe above rant > is only valid for UDP. But in general I believe state is useful in > access control. Or am I way off? I find it slightly useful for UDP, but overall think the added complexity doesn't bring much in the way of protection if you carefully design your architecture. The performance information that this thread has started IS interesting, and it's started me wondering about the whole "filter on a router vs. firewall" thing again. Thanks, Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions probertsat_private which may have no basis whatsoever in fact." probertsonat_private Director of Risk Assessment TruSecure Corporation _______________________________________________ firewall-wizards mailing list firewall-wizardsat_private http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
This archive was generated by hypermail 2b30 : Wed Oct 16 2002 - 09:47:56 PDT