Packet filters v. True firewall functionality.

Archived from groups: comp.security.firewalls (More info?)

We have two private subnets, connected together by an Allied Telesyn AR740
router. One of the private subnets is less trustable than the others (it
contains the students!).

At the moment, the router employs a modest amount of packet (ip) filtering
rules to scan traffic traversing the routers interfaces.

My question is: why use the IP filters, when the device has a true stateful
inspection firewall function?

From what I have read, the main advantage is that ports remain closed until
traffic is deemed to be allow through by the rules set up, where-as with the
packet filtering-only approach, the ports are wide open, but a each packet
is checked before being allowed to traverse the interfaces; almost, but not
quite as good.
7 answers Last reply
More about packet filters true firewall functionality
  1. Archived from groups: comp.security.firewalls (More info?)

    Hi,

    WS <WS@nospam.com> wrote:
    > My question is: why use the IP filters, when the device has a true stateful
    > inspection firewall function?

    Stateful inspection firewall means, a packet filter which is able to track
    connections from one (in-) side to another (out-) side and recognizing
    pakets which might correlate to that.

    It's got nothing to do with "open" or "closed" ports.

    Greetings,
    Jens
  2. Archived from groups: comp.security.firewalls (More info?)

    I thought that a stateful inspection firewall was quite different from just
    "ip packet filtering", in that it provided true firewall functionality
    (ensuring ports are close until required), as well as correlating packets
    with an IP filtering mechanism.

    Maybe I've developed a bit of a misunderstanding here.

    "Jens Hoffmann" <jh@bofh.de> wrote in message
    news:slrnc921sk.g1o.jh@churrasco.bofh.de...
    > Hi,
    >
    > WS <WS@nospam.com> wrote:
    > > My question is: why use the IP filters, when the device has a true
    stateful
    > > inspection firewall function?
    >
    > Stateful inspection firewall means, a packet filter which is able to track
    > connections from one (in-) side to another (out-) side and recognizing
    > pakets which might correlate to that.
    >
    > It's got nothing to do with "open" or "closed" ports.
    >
    > Greetings,
    > Jens
  3. Archived from groups: comp.security.firewalls (More info?)

    So what's the difference between plain-old "IP Packet filtering" and
    "stateful inspection firewalls"?

    "Jens Hoffmann" <jh@bofh.de> wrote in message
    news:slrnc921sk.g1o.jh@churrasco.bofh.de...
    > Hi,
    >
    > WS <WS@nospam.com> wrote:
    > > My question is: why use the IP filters, when the device has a true
    stateful
    > > inspection firewall function?
    >
    > Stateful inspection firewall means, a packet filter which is able to track
    > connections from one (in-) side to another (out-) side and recognizing
    > pakets which might correlate to that.
    >
    > It's got nothing to do with "open" or "closed" ports.
    >
    > Greetings,
    > Jens
  4. Archived from groups: comp.security.firewalls (More info?)

    On Sat, 1 May 2004 19:23:18 +1200, WS spoketh

    >So what's the difference between plain-old "IP Packet filtering" and
    >"stateful inspection firewalls"?
    >
    >"Jens Hoffmann" <jh@bofh.de> wrote in message
    >news:slrnc921sk.g1o.jh@churrasco.bofh.de...

    A packet filter simply checks a packet against a set of rules and
    rejects/allows traffic based on that.

    An application proxy firewall is one that will analyze a packet to
    ensure that the traffic follows the rules of the protocol (i.e. http,
    smtp, ftp, dns) as well as the defined rules for allowed/disallowed
    traffic.

    SPI simply means that the firewall takes a closer look at the packets to
    ensure that they are what they say they are, meaning legitimate replies
    to a previous outbound request.

    SPI can be found in both packet inspection firewalls and application
    proxy firewalls.


    Lars M. Hansen
    http://www.hansenonline.net
    (replace 'badnews' with 'news' in e-mail address)
  5. Archived from groups: comp.security.firewalls (More info?)

    On Sat, 01 May 2004 09:40:48 -0700, Bart Bailey spoketh

    >In Message-ID:<6vu6909eilhit6t9f3pei5ivc8nk9rk70v@4ax.com> posted on
    >Sat, 01 May 2004 06:40:05 -0400, Lars M. Hansen wrote:
    >
    >>On Sat, 1 May 2004 19:23:18 +1200, WS spoketh
    >>
    >>>So what's the difference between plain-old "IP Packet filtering" and
    >>>"stateful inspection firewalls"?
    >>>
    >>>"Jens Hoffmann" <jh@bofh.de> wrote in message
    >>>news:slrnc921sk.g1o.jh@churrasco.bofh.de...
    >>
    >>A packet filter simply checks a packet against a set of rules and
    >>rejects/allows traffic based on that.
    >>
    >>An application proxy firewall is one that will analyze a packet to
    >>ensure that the traffic follows the rules of the protocol (i.e. http,
    >>smtp, ftp, dns) as well as the defined rules for allowed/disallowed
    >>traffic.
    >
    >Looks like the main difference is in the choice of words used to say
    >basically the same thing.
    >
    >A - There's a set of rules, whether your choice or some other protocol
    >B - Packets are evaluated for compliance or noncompliance
    >C - Action taken depends on the answer to B

    It has to do with how "deep" into the packet the firewall goes.

    Regular packet inspection will only check source and destination IP
    address and port numbers. If it matches either an allow-rule or is a
    reply packet, then the traffic is allowed, otherwise, it's rejected.

    With SPI, a reply packet will have to match more than just IP and port
    information, it also has to match sequence and acknowledge numbers.
    Makes it more difficult to spoof.


    Lars M. Hansen
    www.hansenonline.net
    Remove "bad" from my e-mail address to contact me.
    "If you try to fail, and succeed, which have you done?"
  6. Archived from groups: comp.security.firewalls (More info?)

    Thanks for helping me get my head around this stuff!

    "Lars M. Hansen" <badnews@hansenonline.net> wrote in message
    news:pol7901fbagphlraf9mt8u02i3gl8e9e4a@4ax.com...
    > On Sat, 01 May 2004 09:40:48 -0700, Bart Bailey spoketh
    >
    > >In Message-ID:<6vu6909eilhit6t9f3pei5ivc8nk9rk70v@4ax.com> posted on
    > >Sat, 01 May 2004 06:40:05 -0400, Lars M. Hansen wrote:
    > >
    > >>On Sat, 1 May 2004 19:23:18 +1200, WS spoketh
    > >>
    > >>>So what's the difference between plain-old "IP Packet filtering" and
    > >>>"stateful inspection firewalls"?
    > >>>
    > >>>"Jens Hoffmann" <jh@bofh.de> wrote in message
    > >>>news:slrnc921sk.g1o.jh@churrasco.bofh.de...
    > >>
    > >>A packet filter simply checks a packet against a set of rules and
    > >>rejects/allows traffic based on that.
    > >>
    > >>An application proxy firewall is one that will analyze a packet to
    > >>ensure that the traffic follows the rules of the protocol (i.e. http,
    > >>smtp, ftp, dns) as well as the defined rules for allowed/disallowed
    > >>traffic.
    > >
    > >Looks like the main difference is in the choice of words used to say
    > >basically the same thing.
    > >
    > >A - There's a set of rules, whether your choice or some other protocol
    > >B - Packets are evaluated for compliance or noncompliance
    > >C - Action taken depends on the answer to B
    >
    > It has to do with how "deep" into the packet the firewall goes.
    >
    > Regular packet inspection will only check source and destination IP
    > address and port numbers. If it matches either an allow-rule or is a
    > reply packet, then the traffic is allowed, otherwise, it's rejected.
    >
    > With SPI, a reply packet will have to match more than just IP and port
    > information, it also has to match sequence and acknowledge numbers.
    > Makes it more difficult to spoof.
    >
    >
    > Lars M. Hansen
    > www.hansenonline.net
    > Remove "bad" from my e-mail address to contact me.
    > "If you try to fail, and succeed, which have you done?"
  7. Hello I have no idea if I am suppose to post here or somewhere entirely different I just now found this thread. I am also aware the site is toms"hardware" however I have a question pertaining to the firewalls and packet filtering if you guys don't mind.

    Okay so I am wondering both sides of an ordeal 1. is there a freeware firewall available for windows 7 to filter packets but not block complete access? like for example drop packets every 10 milliseconds? & 2. On the flip side what is one suppose to do to improve their ping / latency?

    Thanks in advance!
Ask a new question

Read More

Firewalls Routers Networking