Dave Clark asks:
: I am soliciting comments from anyone who has evaluated (or has
: educated opinions on) the pros and cons of Sidewinder's "type
: enforcement" and Checkpoint's "stateful inspection" technologies.
Let me begin by noting that I work for Secure Computing and am not a
purely disinterested speaker. However, I'm sure my colleagues on the
list will point out any statements I make that deserve dispute.
First of all, stateful insepection and type enforcement address
different aspects of the computer security puzzle. Stateful inspection
is a process applied to network traffic. Type enforcement is applied
to software running on a computer system. So, the question breaks into
1) What is the benefit of type enforcement in a firewall?
I posted a message to Firewalls in the thread "Re: stack overflows and
trusted systems" on Feb 26 of last week that discusses this exact
issue. I won't bore people with a repetition; contact me if you need a
copy of it.
In a nutshell, type enforcement protects the firewall from attack,
keeps its pieces largely functioning and restricting traffic even if
an attacker uses a really novel attack, and sets off alarms if the
attacker makes a proxy or server misbehave.
2) What does Sidewinder do that's comparable to stateful packet
Stateful packet filtering is used to distinguish between network
traffic that's allowed to pass between internal and external networks
and traffic that's to be blocked. Sidewinder provides a combination
of transport and application level proxies to do this, like several
other firewalls (Borderware Firewall Server, Gauntlet, SmartWall,
We chose to do proxies on Sidewinder because they provide the most
certain control over the flow of traffic. No traffic will flow between
the inside and outside unless a proxy has been established to carry
the traffic. So, the device by default is "restrictive" in its
handling of traffic. Packet filters, on the other hand, were
traditionally built atop routers whose intention was to transmit
traffic rapidly whenever possible. Security was added by discarding
packets whose contents could not possibly belong to legitimate
traffic. In short, packet filters are intrinsically "permissive"
devices, and traffic will flow unless rules explicitly prevent it.
Generic packet filters have proven inadequate in practice to block
many types of attacks. "Stateful" filters were developed to make
packet filters more effective. These filters keep information about
connections or types of traffic that's sent in order to better infer
what is really happening. In a sense the filters' state simply
replicates the connection tracking logic in a typical TCP session,
making them very similar in practice to transparent proxies.
A shortcoming in many stateful packet filter implementations is that
things get difficult as they try to track the state of more
sophisticated application level traffic. For example, Sidewinder and
various other proxy firewalls support a variety of user authentication
techniques to control either inbound or outbound access. It's harder
(though not impossible) to do that with stateful filters. I hear that
it can be done for a few simple situations. I don't know if you can
filter Web URLs in existing "stateful filter" firewalls. That's a
major feature in Sidewinder and the Border Firewall now.
com secure computing corporation