Firewalls: Re: intelligent/"stateful" packet filter weaknesses

Firewalls
(June 1995)

Indexed By Thread: [Previous] [Next]

Subject:	Re: intelligent/"stateful" packet filter weaknesses
From:	Darren Reed <avalon @ coombs . anu . edu . au>
Date:	Thu, 29 Jun 1995 21:41:44 +1000 (EST)
To:	Brent @ GreatCircle . COM (Brent Chapman)
Cc:	pfcouvar @ amhux3 . amherst . edu, firewalls @ greatcircle . com
In-reply-to:	<v02120c07ac17fa21e471 @ [198 . 102 . 244 . 46]> from "Brent Chapman" at Jun 28, 95 10:42:34 pm

In some mail from Brent Chapman, they said:
[...]
> >Do any stateful packet filters examine the content of the packet and
> >have enough of an understanding of the given protocol to reject such
> >packets?
> 
> No, not as far as I know.

Andrew Molitar's paper at Usenix on `their' packet filter described
filtering out the FTP RETR command, for example. (Lef the proceedings
at work, else I'd know the title of the paper).

> >Is it always _possible_ to do so?
> 
> I doubt it.

If you're prepared to reassemble IP packets to do it, as required, yes.
I haven't checked, but is probably not amongst the recommended options
for IP gateways/routers.

If you're worried about performance, if you were using an OS such as
Solaris2 for your firewall, you might want to do what Sun have done with
telnetd/rlogind and have them work as STREAMs modules.

darren

References:

Re: intelligent/"stateful" packet filter weaknesses
From: Brent @ GreatCircle . COM (Brent Chapman)

Indexed By Date	Previous:	Re: External access for Archie, Veronica, WAIS, and Jughead (fwd) From: "N.W. van der Lugt" <klaas @ ux111 . pttnwb . nl>
Indexed By Date	Next:	Re: Controlling ftp file transfers From: "walt (w.r.) sullivan" <walt @ bnr . ca>
Indexed By Thread	Previous:	Re: intelligent/"stateful" packet filter weaknesses From: Brent @ GreatCircle . COM (Brent Chapman)
Indexed By Thread	Next:	Re: intelligent/"stateful" packet filter weaknesses From: Frederick M Avolio <avolio @ TIS . COM>