RE: Re: Stateful packet filtering

[manuel . ricca @ pararede . pt]

You mean you can define proxies in Firewall-1?
Any 'transparent proxy' firewall must filter packets using all of the usual packet-filtering attributes
(check source and destination IP, check the inbound and outbound interface, disallow SYN's that are not
paired with ACK's, etc). However, it's much simpler to configure, since the packet filter rules are automatically
generated. Of course, performance will necessarily be affected, since reassembly must be done until
the application layer (although personally I think that you should put security and ease of configuration first - most
holes in firewalls are due to misconfigurations in access lists). I always thought that the 'power of Firewall-1' was
its throughput, and that this was because it's a packet-filter instead of application-level firewall.
>From what I've heard about stateful multi-layer inspection (SMLT), I had the impression that Firewall-1 would
actually have some kind of Finite State Automaton inside it, and would allow or disallow a packet given its state. From
the current state, it would only allow a packet if it knew it would transit to another valid state. This would eliminate
the need for complete reassembly of the packets. These are all my own suppositions, and I also suspect this is wrong or
unfeasible (then again maybe not, if it were made from the network level up), but it was the only way I could imagine for a firewall to analyse packets to the application layer without
having proxies defined (given the simplicity one gains with them), and without loosing too much performance.

TIA,
.M

------------
Manuel Ricca   (manuel .
 ricca @
 pararede .
 pt)
ParaRede - Tecnologias de Comunicação, S.A.
Tel: +351 1 3020451
Fax: +351 1 3020444