LinuxQuestions.org
Visit the LQ Articles and Editorials section
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 04-05-2011, 12:57 PM   #1
metallica1973
Senior Member
 
Registered: Feb 2003
Location: Washington D.C
Posts: 2,116

Rep: Reputation: 58
Statefull Firewall Understanding


Statefull Firewall:

"Filters the traffic coming across it dynamically, an architecture known as stateful packet inspection (SPI) or dynamic packet filtering. It allows for packets of data to be inspected more thoroughly than stateless firewalls, which can only monitor traffic based on static values, such as the address where the packet originated. Stateful firewalls are used when security is preferred over speed"

http://www.wisegeek.com/what-is-a-stateful-firewall.htm

I ran a scan against a host externally using a third party product and and it came back with ports TCP:5190 and TCP:1863 as being
vulnerable. After looking into it further, on the targets these service were not running and or listening on those ports. So I looked the ruleset on the firewall and there is nothing referring to any of these ports. So I began researching the issue and these are Statefull firewalls (Cisco ASA 5500 and Juniper SSG).

So would this be the reason that when running a scan against a SPI firewall, you would see all ports as being filtered and only the ones that have been specified as being closed("Drop") or opened ("Forwarded or Open")as being rules specifically specified in the ruleset? If that is the case then why is there only certain services responding to ports? I am confused/
 
Old 04-05-2011, 04:27 PM   #2
salasi
Senior Member
 
Registered: Jul 2007
Location: Directly above centre of the earth, UK
Distribution: SuSE, plus some hopping
Posts: 3,915

Rep: Reputation: 777Reputation: 777Reputation: 777Reputation: 777Reputation: 777Reputation: 777Reputation: 777
Maybe I'm misinterpreting, but I don't think that statefulness has anything to do with it

Quote:
Originally Posted by metallica1973 View Post

I ran a scan against a host externally using a third party product and and it came back with ports TCP:5190 and TCP:1863 as being
vulnerable. After looking into it further, on the targets these service were not running and or listening on those ports.
This part, at least, is nothing directly to do with statefulness; you can achieve this without using states at all. All you have to do is let packets through the firewall, but don't have any service listening on that port. Simples!

Quote:
Originally Posted by metallica1973 View Post
"Filters the traffic coming across it dynamically, an architecture known as stateful packet inspection (SPI) or dynamic packet filtering. It allows for packets of data to be inspected more thoroughly than stateless firewalls, which can only monitor traffic based on static values, such as the address where the packet originated. Stateful firewalls are used when security is preferred over speed"

http://www.wisegeek.com/what-is-a-stateful-firewall.htm
You can use states to vary the amount of inspection that a packet gets; for the first packet, you might want to do all sort of checks and then for subsequent related packets to just go through 'on the nod'. This allows you to do less testing of the packets and should be more efficient, if done effectively.
 
Old 04-05-2011, 06:20 PM   #3
slimm609
Member
 
Registered: May 2007
Location: Chas, SC
Distribution: slackware, gentoo, fedora, LFS, sidewinder G2, solaris, FreeBSD, RHEL, SUSE, Backtrack
Posts: 428

Rep: Reputation: 65
stateful firewalls inspect the packets and can check for an existing session. With a stateless firewall you must have inbound and outbound rules for each service you want to allow to pass as where with stateful you can set up just an outbound rule and it will keep the session information and inspect the packet. If a outbound session is made any traffic that is in the same session and valid would be allowed to pass back through the firewall without requiring an inbound rule for that traffic because it already knows about the session and that it is return traffic from something generated from the inside.


You can do deep inspection for verify that the correct flags are set. i.e. someone trying to send an ACK packet for a SYN was ever sent.
 
Old 04-06-2011, 01:59 PM   #4
metallica1973
Senior Member
 
Registered: Feb 2003
Location: Washington D.C
Posts: 2,116

Original Poster
Rep: Reputation: 58
I started a new thread regarding my issue. Many thanks
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
How to implement statefull firewall ahmedken Linux - Security 5 03-06-2007 05:30 AM
Help understanding Firewall builder Tortanick Linux - Security 0 02-12-2007 07:20 AM
brctl won't allow statefull inspection logo Linux - Networking 0 05-28-2005 12:23 PM
statefull or stateless? dominant Linux - Security 5 06-24-2004 12:17 AM


All times are GMT -5. The time now is 02:22 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration