Packet filters v. True firewall functionality.
Last response: in Networking
Archived from groups: comp.security.firewalls (More info?)
We have two private subnets, connected together by an Allied Telesyn AR740
router. One of the private subnets is less trustable than the others (it
contains the students!).
At the moment, the router employs a modest amount of packet (ip) filtering
rules to scan traffic traversing the routers interfaces.
My question is: why use the IP filters, when the device has a true stateful
inspection firewall function?
From what I have read, the main advantage is that ports remain closed until
traffic is deemed to be allow through by the rules set up, where-as with the
packet filtering-only approach, the ports are wide open, but a each packet
is checked before being allowed to traverse the interfaces; almost, but not
quite as good.
We have two private subnets, connected together by an Allied Telesyn AR740
router. One of the private subnets is less trustable than the others (it
contains the students!).
At the moment, the router employs a modest amount of packet (ip) filtering
rules to scan traffic traversing the routers interfaces.
My question is: why use the IP filters, when the device has a true stateful
inspection firewall function?
From what I have read, the main advantage is that ports remain closed until
traffic is deemed to be allow through by the rules set up, where-as with the
packet filtering-only approach, the ports are wide open, but a each packet
is checked before being allowed to traverse the interfaces; almost, but not
quite as good.
More about : packet filters true firewall functionality
Archived from groups: comp.security.firewalls (More info?)
Hi,
WS <WS@nospam.com> wrote:
> My question is: why use the IP filters, when the device has a true stateful
> inspection firewall function?
Stateful inspection firewall means, a packet filter which is able to track
connections from one (in-) side to another (out-) side and recognizing
pakets which might correlate to that.
It's got nothing to do with "open" or "closed" ports.
Greetings,
Jens
Hi,
WS <WS@nospam.com> wrote:
> My question is: why use the IP filters, when the device has a true stateful
> inspection firewall function?
Stateful inspection firewall means, a packet filter which is able to track
connections from one (in-) side to another (out-) side and recognizing
pakets which might correlate to that.
It's got nothing to do with "open" or "closed" ports.
Greetings,
Jens
Archived from groups: comp.security.firewalls (More info?)
I thought that a stateful inspection firewall was quite different from just
"ip packet filtering", in that it provided true firewall functionality
(ensuring ports are close until required), as well as correlating packets
with an IP filtering mechanism.
Maybe I've developed a bit of a misunderstanding here.
"Jens Hoffmann" <jh@bofh.de> wrote in message
news:slrnc921sk.g1o.jh@churrasco.bofh.de...
> Hi,
>
> WS <WS@nospam.com> wrote:
> > My question is: why use the IP filters, when the device has a true
stateful
> > inspection firewall function?
>
> Stateful inspection firewall means, a packet filter which is able to track
> connections from one (in-) side to another (out-) side and recognizing
> pakets which might correlate to that.
>
> It's got nothing to do with "open" or "closed" ports.
>
> Greetings,
> Jens
I thought that a stateful inspection firewall was quite different from just
"ip packet filtering", in that it provided true firewall functionality
(ensuring ports are close until required), as well as correlating packets
with an IP filtering mechanism.
Maybe I've developed a bit of a misunderstanding here.
"Jens Hoffmann" <jh@bofh.de> wrote in message
news:slrnc921sk.g1o.jh@churrasco.bofh.de...
> Hi,
>
> WS <WS@nospam.com> wrote:
> > My question is: why use the IP filters, when the device has a true
stateful
> > inspection firewall function?
>
> Stateful inspection firewall means, a packet filter which is able to track
> connections from one (in-) side to another (out-) side and recognizing
> pakets which might correlate to that.
>
> It's got nothing to do with "open" or "closed" ports.
>
> Greetings,
> Jens
Archived from groups: comp.security.firewalls (More info?)
So what's the difference between plain-old "IP Packet filtering" and
"stateful inspection firewalls"?
"Jens Hoffmann" <jh@bofh.de> wrote in message
news:slrnc921sk.g1o.jh@churrasco.bofh.de...
> Hi,
>
> WS <WS@nospam.com> wrote:
> > My question is: why use the IP filters, when the device has a true
stateful
> > inspection firewall function?
>
> Stateful inspection firewall means, a packet filter which is able to track
> connections from one (in-) side to another (out-) side and recognizing
> pakets which might correlate to that.
>
> It's got nothing to do with "open" or "closed" ports.
>
> Greetings,
> Jens
So what's the difference between plain-old "IP Packet filtering" and
"stateful inspection firewalls"?
"Jens Hoffmann" <jh@bofh.de> wrote in message
news:slrnc921sk.g1o.jh@churrasco.bofh.de...
> Hi,
>
> WS <WS@nospam.com> wrote:
> > My question is: why use the IP filters, when the device has a true
stateful
> > inspection firewall function?
>
> Stateful inspection firewall means, a packet filter which is able to track
> connections from one (in-) side to another (out-) side and recognizing
> pakets which might correlate to that.
>
> It's got nothing to do with "open" or "closed" ports.
>
> Greetings,
> Jens
Related ressources
- Ok to let all ICMP traffic through firewall ? - Forum
- Good gaming router/ firewall - Forum
- Rogue packet getting through router, or valid packet being.. - Forum
- Why a software firewall ? - Forum
- Which Firewall ? - Forum
Archived from groups: comp.security.firewalls (More info?)
On Sat, 1 May 2004 19:23:18 +1200, WS spoketh
>So what's the difference between plain-old "IP Packet filtering" and
>"stateful inspection firewalls"?
>
>"Jens Hoffmann" <jh@bofh.de> wrote in message
>news:slrnc921sk.g1o.jh@churrasco.bofh.de...
A packet filter simply checks a packet against a set of rules and
rejects/allows traffic based on that.
An application proxy firewall is one that will analyze a packet to
ensure that the traffic follows the rules of the protocol (i.e. http,
smtp, ftp, dns) as well as the defined rules for allowed/disallowed
traffic.
SPI simply means that the firewall takes a closer look at the packets to
ensure that they are what they say they are, meaning legitimate replies
to a previous outbound request.
SPI can be found in both packet inspection firewalls and application
proxy firewalls.
Lars M. Hansen
http://www.hansenonline.net
(replace 'badnews' with 'news' in e-mail address)
On Sat, 1 May 2004 19:23:18 +1200, WS spoketh
>So what's the difference between plain-old "IP Packet filtering" and
>"stateful inspection firewalls"?
>
>"Jens Hoffmann" <jh@bofh.de> wrote in message
>news:slrnc921sk.g1o.jh@churrasco.bofh.de...
A packet filter simply checks a packet against a set of rules and
rejects/allows traffic based on that.
An application proxy firewall is one that will analyze a packet to
ensure that the traffic follows the rules of the protocol (i.e. http,
smtp, ftp, dns) as well as the defined rules for allowed/disallowed
traffic.
SPI simply means that the firewall takes a closer look at the packets to
ensure that they are what they say they are, meaning legitimate replies
to a previous outbound request.
SPI can be found in both packet inspection firewalls and application
proxy firewalls.
Lars M. Hansen
http://www.hansenonline.net
(replace 'badnews' with 'news' in e-mail address)
Archived from groups: comp.security.firewalls (More info?)
On Sat, 01 May 2004 09:40:48 -0700, Bart Bailey spoketh
>In Message-ID:<6vu6909eilhit6t9f3pei5ivc8nk9rk70v@4ax.com> posted on
>Sat, 01 May 2004 06:40:05 -0400, Lars M. Hansen wrote:
>
>>On Sat, 1 May 2004 19:23:18 +1200, WS spoketh
>>
>>>So what's the difference between plain-old "IP Packet filtering" and
>>>"stateful inspection firewalls"?
>>>
>>>"Jens Hoffmann" <jh@bofh.de> wrote in message
>>>news:slrnc921sk.g1o.jh@churrasco.bofh.de...
>>
>>A packet filter simply checks a packet against a set of rules and
>>rejects/allows traffic based on that.
>>
>>An application proxy firewall is one that will analyze a packet to
>>ensure that the traffic follows the rules of the protocol (i.e. http,
>>smtp, ftp, dns) as well as the defined rules for allowed/disallowed
>>traffic.
>
>Looks like the main difference is in the choice of words used to say
>basically the same thing.
>
>A - There's a set of rules, whether your choice or some other protocol
>B - Packets are evaluated for compliance or noncompliance
>C - Action taken depends on the answer to B
It has to do with how "deep" into the packet the firewall goes.
Regular packet inspection will only check source and destination IP
address and port numbers. If it matches either an allow-rule or is a
reply packet, then the traffic is allowed, otherwise, it's rejected.
With SPI, a reply packet will have to match more than just IP and port
information, it also has to match sequence and acknowledge numbers.
Makes it more difficult to spoof.
Lars M. Hansen
www.hansenonline.net
Remove "bad" from my e-mail address to contact me.
"If you try to fail, and succeed, which have you done?"
On Sat, 01 May 2004 09:40:48 -0700, Bart Bailey spoketh
>In Message-ID:<6vu6909eilhit6t9f3pei5ivc8nk9rk70v@4ax.com> posted on
>Sat, 01 May 2004 06:40:05 -0400, Lars M. Hansen wrote:
>
>>On Sat, 1 May 2004 19:23:18 +1200, WS spoketh
>>
>>>So what's the difference between plain-old "IP Packet filtering" and
>>>"stateful inspection firewalls"?
>>>
>>>"Jens Hoffmann" <jh@bofh.de> wrote in message
>>>news:slrnc921sk.g1o.jh@churrasco.bofh.de...
>>
>>A packet filter simply checks a packet against a set of rules and
>>rejects/allows traffic based on that.
>>
>>An application proxy firewall is one that will analyze a packet to
>>ensure that the traffic follows the rules of the protocol (i.e. http,
>>smtp, ftp, dns) as well as the defined rules for allowed/disallowed
>>traffic.
>
>Looks like the main difference is in the choice of words used to say
>basically the same thing.
>
>A - There's a set of rules, whether your choice or some other protocol
>B - Packets are evaluated for compliance or noncompliance
>C - Action taken depends on the answer to B
It has to do with how "deep" into the packet the firewall goes.
Regular packet inspection will only check source and destination IP
address and port numbers. If it matches either an allow-rule or is a
reply packet, then the traffic is allowed, otherwise, it's rejected.
With SPI, a reply packet will have to match more than just IP and port
information, it also has to match sequence and acknowledge numbers.
Makes it more difficult to spoof.
Lars M. Hansen
www.hansenonline.net
Remove "bad" from my e-mail address to contact me.
"If you try to fail, and succeed, which have you done?"
Archived from groups: comp.security.firewalls (More info?)
Thanks for helping me get my head around this stuff!
"Lars M. Hansen" <badnews@hansenonline.net> wrote in message
news![:p]( ":p")
ol7901fbagphlraf9mt8u02i3gl8e9e4a@4ax.com...
> On Sat, 01 May 2004 09:40:48 -0700, Bart Bailey spoketh
>
> >In Message-ID:<6vu6909eilhit6t9f3pei5ivc8nk9rk70v@4ax.com> posted on
> >Sat, 01 May 2004 06:40:05 -0400, Lars M. Hansen wrote:
> >
> >>On Sat, 1 May 2004 19:23:18 +1200, WS spoketh
> >>
> >>>So what's the difference between plain-old "IP Packet filtering" and
> >>>"stateful inspection firewalls"?
> >>>
> >>>"Jens Hoffmann" <jh@bofh.de> wrote in message
> >>>news:slrnc921sk.g1o.jh@churrasco.bofh.de...
> >>
> >>A packet filter simply checks a packet against a set of rules and
> >>rejects/allows traffic based on that.
> >>
> >>An application proxy firewall is one that will analyze a packet to
> >>ensure that the traffic follows the rules of the protocol (i.e. http,
> >>smtp, ftp, dns) as well as the defined rules for allowed/disallowed
> >>traffic.
> >
> >Looks like the main difference is in the choice of words used to say
> >basically the same thing.
> >
> >A - There's a set of rules, whether your choice or some other protocol
> >B - Packets are evaluated for compliance or noncompliance
> >C - Action taken depends on the answer to B
>
> It has to do with how "deep" into the packet the firewall goes.
>
> Regular packet inspection will only check source and destination IP
> address and port numbers. If it matches either an allow-rule or is a
> reply packet, then the traffic is allowed, otherwise, it's rejected.
>
> With SPI, a reply packet will have to match more than just IP and port
> information, it also has to match sequence and acknowledge numbers.
> Makes it more difficult to spoof.
>
>
> Lars M. Hansen
> www.hansenonline.net
> Remove "bad" from my e-mail address to contact me.
> "If you try to fail, and succeed, which have you done?"
Thanks for helping me get my head around this stuff!
"Lars M. Hansen" <badnews@hansenonline.net> wrote in message
news
ol7901fbagphlraf9mt8u02i3gl8e9e4a@4ax.com...> On Sat, 01 May 2004 09:40:48 -0700, Bart Bailey spoketh
>
> >In Message-ID:<6vu6909eilhit6t9f3pei5ivc8nk9rk70v@4ax.com> posted on
> >Sat, 01 May 2004 06:40:05 -0400, Lars M. Hansen wrote:
> >
> >>On Sat, 1 May 2004 19:23:18 +1200, WS spoketh
> >>
> >>>So what's the difference between plain-old "IP Packet filtering" and
> >>>"stateful inspection firewalls"?
> >>>
> >>>"Jens Hoffmann" <jh@bofh.de> wrote in message
> >>>news:slrnc921sk.g1o.jh@churrasco.bofh.de...
> >>
> >>A packet filter simply checks a packet against a set of rules and
> >>rejects/allows traffic based on that.
> >>
> >>An application proxy firewall is one that will analyze a packet to
> >>ensure that the traffic follows the rules of the protocol (i.e. http,
> >>smtp, ftp, dns) as well as the defined rules for allowed/disallowed
> >>traffic.
> >
> >Looks like the main difference is in the choice of words used to say
> >basically the same thing.
> >
> >A - There's a set of rules, whether your choice or some other protocol
> >B - Packets are evaluated for compliance or noncompliance
> >C - Action taken depends on the answer to B
>
> It has to do with how "deep" into the packet the firewall goes.
>
> Regular packet inspection will only check source and destination IP
> address and port numbers. If it matches either an allow-rule or is a
> reply packet, then the traffic is allowed, otherwise, it's rejected.
>
> With SPI, a reply packet will have to match more than just IP and port
> information, it also has to match sequence and acknowledge numbers.
> Makes it more difficult to spoof.
>
>
> Lars M. Hansen
> www.hansenonline.net
> Remove "bad" from my e-mail address to contact me.
> "If you try to fail, and succeed, which have you done?"
Hello I have no idea if I am suppose to post here or somewhere entirely different I just now found this thread. I am also aware the site is toms"hardware" however I have a question pertaining to the firewalls and packet filtering if you guys don't mind.
Okay so I am wondering both sides of an ordeal 1. is there a freeware firewall available for windows 7 to filter packets but not block complete access? like for example drop packets every 10 milliseconds? & 2. On the flip side what is one suppose to do to improve their ping / latency?
Thanks in advance!
Okay so I am wondering both sides of an ordeal 1. is there a freeware firewall available for windows 7 to filter packets but not block complete access? like for example drop packets every 10 milliseconds? & 2. On the flip side what is one suppose to do to improve their ping / latency?
Thanks in advance!
Related ressources:
- ForumHardware Firewall Recommendation
- ForumHardware Firewall ??
- ForumConfigurating the Firewall in both Linux and Xp!
- ForumWould a firewall prevent Sasser worm?
- ForumRouter a Firewall ?
- ForumHardware Router Charts
- ForumDon't use a Firewall other than Windows Firewall ?
- ForumDo I need a Hardware Firewall ?
- ForumShould I upgrade to 6.0Mbps?
- ForumLast Norton Liveupdate Broke Firewall !
- ForumUsing another computer networked as a Firewall
- ForumYes, the Linksys WRT54G V 5 Really Is a Lousy Router
- ForumRouter Setup
- ForumFirewall + antivirus hardware ?
- ForumSygate Firewall Load-Time
- More resources
Read discussions in other Networking categories
!
