On Aug 18, 2004, at 2:29 PM, Joel Snyder wrote:
To get into the firewall sweepstakes, you have to start with stateful
packet inspection, not the weak crap you get for free in some freeware
firewalls, but something that watches sequence numbers and the *full*
TCP state machine, plus options, defragmentation, all that jazz.
A genuine (non-rhetorical) question:
Why do we think this is true?
What are the security benefits of watching sequence numbers, the TCP
state machines, and options? (Sidenote: someone should do a quick study
to see how many "stateful firewalls" properly implement TCP PAWS ---
like every modern OS TCP stack does).
(Also, do all stateful firewalls actually reassemble IP fragments? What
happens when they encounter asymmetry? Is it enough just to drop
fragments?)
I'm sure there are lots of good reasons for stateful tracking of
sessions, but I'd like to hear them stated authoritatively.
(ObDisclaimer: I'm a full-proxy partisan).
---
Thomas H. Ptacek // Product Manager, Arbor Networks
(734) 327-0000
--------------------------------------------------------------------------
FREE Network Security Webinar - How to implement IPSec security into VPN appliances
New threats and vulnerabilities require new high-performance IPSec VPN solutions for network protection.
Join the security experts from SafeNet on August 26 at 1:00 PM (Eastern), and learn how to successfully integrate IPSec security into VPN processors and appliances to provide powerful yet cost-effective VPN solutions for your customers.
Register now:
http://www.securityfocus.com/sponsor/SafeNet_focus-ids_040817
--------------------------------------------------------------------------
