Sign in with
Sign up | Sign in
Your question

Packet filters v. True firewall functionality.

Last response: in Networking
Share
April 30, 2004 12:12:51 AM

Archived from groups: comp.security.firewalls (More info?)

We have two private subnets, connected together by an Allied Telesyn AR740
router. One of the private subnets is less trustable than the others (it
contains the students!).

At the moment, the router employs a modest amount of packet (ip) filtering
rules to scan traffic traversing the routers interfaces.

My question is: why use the IP filters, when the device has a true stateful
inspection firewall function?

From what I have read, the main advantage is that ports remain closed until
traffic is deemed to be allow through by the rules set up, where-as with the
packet filtering-only approach, the ports are wide open, but a each packet
is checked before being allowed to traverse the interfaces; almost, but not
quite as good.
Anonymous
April 30, 2004 12:12:52 AM

Archived from groups: comp.security.firewalls (More info?)

Hi,

WS <WS@nospam.com> wrote:
> My question is: why use the IP filters, when the device has a true stateful
> inspection firewall function?

Stateful inspection firewall means, a packet filter which is able to track
connections from one (in-) side to another (out-) side and recognizing
pakets which might correlate to that.

It's got nothing to do with "open" or "closed" ports.

Greetings,
Jens
April 30, 2004 11:58:40 AM

Archived from groups: comp.security.firewalls (More info?)

I thought that a stateful inspection firewall was quite different from just
"ip packet filtering", in that it provided true firewall functionality
(ensuring ports are close until required), as well as correlating packets
with an IP filtering mechanism.

Maybe I've developed a bit of a misunderstanding here.

"Jens Hoffmann" <jh@bofh.de> wrote in message
news:slrnc921sk.g1o.jh@churrasco.bofh.de...
> Hi,
>
> WS <WS@nospam.com> wrote:
> > My question is: why use the IP filters, when the device has a true
stateful
> > inspection firewall function?
>
> Stateful inspection firewall means, a packet filter which is able to track
> connections from one (in-) side to another (out-) side and recognizing
> pakets which might correlate to that.
>
> It's got nothing to do with "open" or "closed" ports.
>
> Greetings,
> Jens
May 1, 2004 11:23:18 PM

Archived from groups: comp.security.firewalls (More info?)

So what's the difference between plain-old "IP Packet filtering" and
"stateful inspection firewalls"?

"Jens Hoffmann" <jh@bofh.de> wrote in message
news:slrnc921sk.g1o.jh@churrasco.bofh.de...
> Hi,
>
> WS <WS@nospam.com> wrote:
> > My question is: why use the IP filters, when the device has a true
stateful
> > inspection firewall function?
>
> Stateful inspection firewall means, a packet filter which is able to track
> connections from one (in-) side to another (out-) side and recognizing
> pakets which might correlate to that.
>
> It's got nothing to do with "open" or "closed" ports.
>
> Greetings,
> Jens
Anonymous
May 1, 2004 11:23:19 PM

Archived from groups: comp.security.firewalls (More info?)

On Sat, 1 May 2004 19:23:18 +1200, WS spoketh

>So what's the difference between plain-old "IP Packet filtering" and
>"stateful inspection firewalls"?
>
>"Jens Hoffmann" <jh@bofh.de> wrote in message
>news:slrnc921sk.g1o.jh@churrasco.bofh.de...

A packet filter simply checks a packet against a set of rules and
rejects/allows traffic based on that.

An application proxy firewall is one that will analyze a packet to
ensure that the traffic follows the rules of the protocol (i.e. http,
smtp, ftp, dns) as well as the defined rules for allowed/disallowed
traffic.

SPI simply means that the firewall takes a closer look at the packets to
ensure that they are what they say they are, meaning legitimate replies
to a previous outbound request.

SPI can be found in both packet inspection firewalls and application
proxy firewalls.


Lars M. Hansen
http://www.hansenonline.net
(replace 'badnews' with 'news' in e-mail address)
Anonymous
May 1, 2004 11:23:20 PM

Archived from groups: comp.security.firewalls (More info?)

On Sat, 01 May 2004 09:40:48 -0700, Bart Bailey spoketh

>In Message-ID:<6vu6909eilhit6t9f3pei5ivc8nk9rk70v@4ax.com> posted on
>Sat, 01 May 2004 06:40:05 -0400, Lars M. Hansen wrote:
>
>>On Sat, 1 May 2004 19:23:18 +1200, WS spoketh
>>
>>>So what's the difference between plain-old "IP Packet filtering" and
>>>"stateful inspection firewalls"?
>>>
>>>"Jens Hoffmann" <jh@bofh.de> wrote in message
>>>news:slrnc921sk.g1o.jh@churrasco.bofh.de...
>>
>>A packet filter simply checks a packet against a set of rules and
>>rejects/allows traffic based on that.
>>
>>An application proxy firewall is one that will analyze a packet to
>>ensure that the traffic follows the rules of the protocol (i.e. http,
>>smtp, ftp, dns) as well as the defined rules for allowed/disallowed
>>traffic.
>
>Looks like the main difference is in the choice of words used to say
>basically the same thing.
>
>A - There's a set of rules, whether your choice or some other protocol
>B - Packets are evaluated for compliance or noncompliance
>C - Action taken depends on the answer to B

It has to do with how "deep" into the packet the firewall goes.

Regular packet inspection will only check source and destination IP
address and port numbers. If it matches either an allow-rule or is a
reply packet, then the traffic is allowed, otherwise, it's rejected.

With SPI, a reply packet will have to match more than just IP and port
information, it also has to match sequence and acknowledge numbers.
Makes it more difficult to spoof.


Lars M. Hansen
www.hansenonline.net
Remove "bad" from my e-mail address to contact me.
"If you try to fail, and succeed, which have you done?"
May 2, 2004 10:44:05 PM

Archived from groups: comp.security.firewalls (More info?)

Thanks for helping me get my head around this stuff!

"Lars M. Hansen" <badnews@hansenonline.net> wrote in message
news:p ol7901fbagphlraf9mt8u02i3gl8e9e4a@4ax.com...
> On Sat, 01 May 2004 09:40:48 -0700, Bart Bailey spoketh
>
> >In Message-ID:<6vu6909eilhit6t9f3pei5ivc8nk9rk70v@4ax.com> posted on
> >Sat, 01 May 2004 06:40:05 -0400, Lars M. Hansen wrote:
> >
> >>On Sat, 1 May 2004 19:23:18 +1200, WS spoketh
> >>
> >>>So what's the difference between plain-old "IP Packet filtering" and
> >>>"stateful inspection firewalls"?
> >>>
> >>>"Jens Hoffmann" <jh@bofh.de> wrote in message
> >>>news:slrnc921sk.g1o.jh@churrasco.bofh.de...
> >>
> >>A packet filter simply checks a packet against a set of rules and
> >>rejects/allows traffic based on that.
> >>
> >>An application proxy firewall is one that will analyze a packet to
> >>ensure that the traffic follows the rules of the protocol (i.e. http,
> >>smtp, ftp, dns) as well as the defined rules for allowed/disallowed
> >>traffic.
> >
> >Looks like the main difference is in the choice of words used to say
> >basically the same thing.
> >
> >A - There's a set of rules, whether your choice or some other protocol
> >B - Packets are evaluated for compliance or noncompliance
> >C - Action taken depends on the answer to B
>
> It has to do with how "deep" into the packet the firewall goes.
>
> Regular packet inspection will only check source and destination IP
> address and port numbers. If it matches either an allow-rule or is a
> reply packet, then the traffic is allowed, otherwise, it's rejected.
>
> With SPI, a reply packet will have to match more than just IP and port
> information, it also has to match sequence and acknowledge numbers.
> Makes it more difficult to spoof.
>
>
> Lars M. Hansen
> www.hansenonline.net
> Remove "bad" from my e-mail address to contact me.
> "If you try to fail, and succeed, which have you done?"
October 15, 2011 8:14:02 PM

Hello I have no idea if I am suppose to post here or somewhere entirely different I just now found this thread. I am also aware the site is toms"hardware" however I have a question pertaining to the firewalls and packet filtering if you guys don't mind.

Okay so I am wondering both sides of an ordeal 1. is there a freeware firewall available for windows 7 to filter packets but not block complete access? like for example drop packets every 10 milliseconds? & 2. On the flip side what is one suppose to do to improve their ping / latency?

Thanks in advance!
!