I don't need no stinking firewall!

Security Gurus, et al,

I have my own idea of what a firewall is and what it does. I also
understand what statefull packet inspection is and what it does. Given
this information, and not prejudging any responses, exactly what is a
firewall for and when is statefull inspection useful?

Please respond on-list as I want to have some useful discourse and
discussion in the clear. Flamers and Trolls will be disregarded.

Thank you.

- Brian

CONFIDENTIALITY NOTICE: This email message, including any attachments, is for the sole use of the
intended recipient(s) and may contain confidential and privileged information. Any unauthorized review,
copying, use, disclosure, or distribution is prohibited. If you are not the intended recipient, please
contact the sender by reply e-mail and destroy all copies of the original message. Thank you.

In the most basic terms, a stateful firewall performs bidirectional classification of communications between nodes, and makes a pass/fail determination on each packet based on a) whether or not a bidirectional communications session is already open between the nodes and b) any policy rules configured on the firewall as to what ports/protocols should be allowed between said nodes.

Stateful firewalls make good sense in front of machines which are primarily clients; the stateful inspection part keeps unsolicited packets away from the clients.

Stateful firewalls make absolutely no sense in front of servers, given that by definition, every packet coming into the server is unsolicited (some protocols like ftp work a bit differently in that there're multiple bidirectional/omnidirectional communications sessions, but the key is that the initial connection is always unsolicited).

Putting firewalls in front of servers is a Really Bad Idea - besides the fact that the stateful inspection premise doesn't apply (see above), rendering the stateful firewall superfluous, even the biggest, baddest firewalls out there can be easily taken down via state-table exhaustion; an attacker can craft enough programmatically-generated, well-formed traffic which conforms to the firewall policies to 'crowd out' legitimate traffic, thus DoSing the server. Addtionally, the firewall can be made to collapse far quicker than the server itself would collapse, as the overhead on the state-tracking is less than what the server itself could handle on its own.

Not sure I'd call myself a security guru, but...

I'm not a great fan of packet filtering firewalls (as opposed to proxy based
or application layer firewalls).

Generally, I just use stateless ACLs when I need additional network level
security. However, they do have one big disadvantage. Say you've got a server
where you want to allow outbound HTTP access to anywhere on the Internet, but
only SSH inbound from your home DSL. To do this, you'd build an inbound ACL
which looks something like:

  - Allow from home DSL IP to server port 22
  - Allow from anywhere port 80 to server
  - Deny all other traffic.

You need the port 80 rule to allow the return traffic from all those outbound
connections.

However, an enterprising hacker realises that he can create a TCP connection
from port 80 on his own box to port 22 on your server.

Now, if you change from stateless to stateful ACLs, you add the intelligence
that whenever it sees an connection originating from your server to port 80
on the internet, it automatically adds a rule that allows traffic back from
the server you're talking to, but not anywhere else. Therefore, your
enterprising hacker can no longer connect in.

Of course, the other benefit that a stateful inspection firewall can do is
pattern matching on undesirable traffic based on signatures

Simon

Stateful inspection is useful for breaking things in subtle and
hard-to-debug ways.
http://fanf.livejournal.com/102206.html
http://fanf.livejournal.com/95831.html

Tony.

The trick is to not track ports/IPs that do not need it. On my combo firewalls (that handle both NATing and serving websites, dns, etc) for example, I'll do a NOTRACK on the LAN side to prevent connections to the firewall itself from taking up valuable table space.

It's all how you configure and tweak the firewall. Recommending people run servers without a firewall is bad advice - do you really want your Win2k3 server exposed, SMB, RPC, and all to the world?

Tony Finch wrote:

Stateful inspection is useful for breaking things in subtle and
hard-to-debug ways.

>

More firewall hate - Tony Finch's blog — LiveJournal
http://fanf.livejournal.com/95831.html

Is that really stateful inspection? Isn't the SMTP fixup on a PIX an application-level gateway?

I *though* most of the world turns SMTP fixup off because it's naff.

Peter

Simon Lockhart wrote:

Generally, I just use stateless ACLs when I need additional network level
security. However, they do have one big disadvantage. Say you've got a server
where you want to allow outbound HTTP access to anywhere on the Internet, but
only SSH inbound from your home DSL. To do this, you'd build an inbound ACL
which looks something like:

  - Allow from home DSL IP to server port 22
  - Allow from anywhere port 80 to server

Change the above to:
     - Allow from anywhere port 80 to server port > 1023

Or better:
     - Allow from anywhere port 80 to server port > 1023 established

  - Deny all other traffic.

You need the port 80 rule to allow the return traffic from all those outbound
connections.

Those outbound connections will originate from a random high port, so just allow those as destination ports on your inbound rule.

However, an enterprising hacker realises that he can create a TCP connection
from port 80 on his own box to port 22 on your server.

Not with the above rules.

It is a ALG, and a completely braindead one at that. Nothing like trying to figure out what an error message means when its just...

XXX ******************************************************

The PIX's fixup for DNS packets have been causing issues on my end too in one setup.

I have an answer to that problem, but not everyone would agree with it [1].

Simon

Stateful firewalls make absolutely no sense in front of servers, given that by definition, every packet coming into the server is unsolicited (some protocols like ftp work a bit differently in that there're multiple bidirectional/omnidirectional communications sessions, but the key is that the initial connection is always unsolicited).

I'm interested by this assertion; surely Stateful Inspection is meant to facilitate the blocking of out-of-sequence packets, ones which aren't part of valid + recognised existing sessions - whilst of course allowing valid SYN session-starters, etc?

So thus, there may still be some value in catching 'injected' packets which don't actually belong in a session... ?

Putting firewalls in front of servers is a Really Bad Idea - besides the fact that the stateful inspection premise doesn't apply (see above), rendering the stateful firewall superfluous, even the biggest, baddest firewalls out there can be easily taken down via state-table exhaustion; an attacker can craft enough programmatically-generated, well-formed traffic which conforms to the firewall policies to 'crowd out' legitimate traffic, thus DoSing the server. Addtionally, the firewall can be made to collapse far quicker than the server itself would collapse, as the overhead on the state-tracking is less than what the server itself could handle on its own.

Some might argue that DoS is preferred to the other degrees of risk that many webservers hold... (trying not to point the finger in any one specific direction.)

Mark.

Is that really stateful inspection? Isn't the SMTP fixup on a PIX an
application-level gateway?

Well, the bug I described is caused by it not being stateful enough.

I *though* most of the world turns SMTP fixup off because it's naff.

Exactly my point

Tony.

Doesn't using the established allow any packet with ACK/RST set and wouldn't you have to allow all high ports?

Jason

I have an answer to that problem, but not everyone would agree with it [1].

One of my biggest beefs with some people is that they'll stand there with their fingers in their ears yelling LA LA LA if you point out to them that not every person in the world can use Linux/UNIX/etc. Some businesses _must_ use Windows to support the applications they use.

> [1] That said, when I've had no choice but to use a Win2k3 web
> server, I've proxy-passed it behind an Apache server.

Except that it requires yet another machine to be sold to a customer who already laid out however many thousands of dollars for a server + licenses + CALs + applications.

If we already have the firewall, its _very_ hard for me to justify to the customer another chunk of cash for a second firewall just for the server.

Jason Shearer wrote:

Doesn't using the established allow any packet with ACK/RST set

Yes, as would be expected for legitimate return traffic for a TCP connection initiated from a browser inside the firewall.

and wouldn't you have to allow all high ports?

That's what the ">" is for. Cisco syntax "gt" (greater than).

The point is that either of these will deny unsolicited new connection attempts from the outside to TCP 22 (and 445, 135, etc.)

Some people think that exposing any functionality by default such as that is a poor security practice

My biggest issue is that people think that Firewalls, AV, etc are a catch-all for any network/user/security badness. The real world is more complex than that.

Most people make poor security choices and this creates much larger issues.

"I thought the firewall would protect me".
"I thought my IPS would protect me"
"I thought my AV would protect me"

Most of these technologies create a truly false sense of security.

I'm once again reminded of many people who do technically "silly" things like block TCP/53, packets over 512 bytes, port 587, ssl imap ports, etc.

It's frustrating and sad because it's not an effective security strategy and frustrates grumpy old-school users as myself that used odi drivers w/ ka9q to multitask over our CSLIP networks.

- Jared

In the most basic terms, a stateful firewall performs bidirectional classification of communications between nodes, and makes a pass/fail determination on each packet based on a) whether or not a bidirectional communications session is already open between the nodes and b) any policy rules configured on the firewall as to what ports/protocols should be allowed between said nodes.

Stateful firewalls make good sense in front of machines which are primarily clients; the stateful inspection part keeps unsolicited packets away from the clients.

Stateful firewalls make absolutely no sense in front of servers, given that by definition, every packet coming into the server is unsolicited (some protocols like ftp work a bit differently in that there're multiple bidirectional/omnidirectional communications sessions, but the key is that the initial connection is always unsolicited).

Putting firewalls in front of servers is a Really Bad Idea - besides the

Hi Roland. I disagree strongly with this position.

fact that the stateful inspection premise doesn't apply (see above),

The problem is that your premise is wrong. Stateful firewalls (hereafter just called firewalls) offer several advantages. This list is not necessarily exhaustive.

(1) Security in depth. In an ideal world every packet arriving at a server would be for a port that is intended to be open and listening. Unfortunately ports can be opened unintentionally on servers in several ways: sysadmin error, package management systems pulling in an extra package which starts a service, etc. By having a firewall in front of the server we gain security in depth against errors like this.

(2) Centralised management of access controls. Many services should only be open to a certain set of source addresses. While this could be managed on each server we may find that some applications don't support this well, and management of access controls is then spread across any number of management interfaces. Using a firewall for network access control reduces the management overhead and chances of error. Even if network access control is managed on the server, doing it on the firewall offers additional security in depth.

(3) Outbound access controls. In many cases we want to stop certain types of outbound traffic. This may contain an intrusion and prevent attacks against other hosts owned by the organisation or other organisations. Trying to do outbound access control on the server won't help as if the server is compromised the attacker can likely get around it.

(4) Rate limiting. The ability to rate limit incoming and outgoing data can prevent certain sorts of DoSes.

(5) Signature based blocking. Modern firewalls can be tied to intrusion prevention systems which will 'raise the shields' in the face of certain attacks. Many exploits require repeated probing and this provides a way to stop the attack before it is successful.

rendering the stateful firewall superfluous, even the biggest, baddest firewalls out there can be easily taken down via state-table exhaustion;

Do you have any evidence to support this assertion? You've just asserted that all firewalls have a specific vulnerability. It isn't even possible to know the complete set of architectures (hardware & software) used for firewalls so I don't see how you can assert they all have this vulnerability.

In any case, my experience tells me that a DDoS will be successful due to exhaustion of available network capacity before it exhausts the state table on the firewall.

an attacker can craft enough programmatically-generated, well-formed traffic which conforms to the firewall policies to 'crowd out' legitimate traffic, thus DoSing the server. Addtionally, the firewall can be made to collapse far quicker than the server itself would collapse, as the overhead on the state-tracking is less than what the server itself could handle on its own.

Again, I don't believe such a global claim can be made given the wide variety of architectures used for firewalls.

Cheers,

Rob

Nope - I use stateless ACLs in hardware, capable of handling mpps.

I'm interested by this assertion; surely Stateful Inspection is meant to
facilitate the blocking of out-of-sequence packets, ones which aren't part
of valid + recognised existing sessions - whilst of course allowing valid
SYN session-starters, etc?

So thus, there may still be some value in catching 'injected' packets
which don't actually belong in a session... ?

Nope - the hosts handle this better on their own.

Some might argue that DoS is preferred to the other degrees of risk that
many webservers hold... (trying not to point the finger in any one
specific direction.)

Except that the firewalls don't mitigate any of the other degrees of risk, either.

A firewall is anything that examines IP packets in-line for the
purpose of discarding undesirable packets before they can be
interpreted by the transport layer protocol (e.g. TCP) on the endpoint
computer.

A firewall is usually a computer filling in the same slot as a router
in a network topology capable of discarding packets before they can
reach the endpoint computer at all. In some cases though, a firewall
may be a separate piece of software on the same computer sending or
receiving the packet.

The purpose of the firewall is to permit the protected equipment to
operate with a less thorough (hence less expensive) attention to the
network security process. Can't really afford to have a dedicated
network security guru for every dozen desktops playing big brother
with what software the users are using so you focus your attention on
the border instead.

Stateful inspection is useful when you want the firewall to discard
any packets which are not part of a communications session that the
firewall understands and has approved. By contrast, packet filtering
will only discard those packets explicitly deemed bad.

At a practical level, the above distinction can be a noop. Internal
machines are usually incapable of acting on packets the packet filter
will unintentionally pass, such as IP fragments without the first
fragment.

Stateful address-overloaded NAT offers additional protection over
stateful inspection alone in that the firewall naturally "fails
closed." That is, a malfunctioning firewall will drop acceptable
packets rather than allow bad ones. This is "defense in depth." An
error in the filtering process still leaves the firewall with no idea
which internal machine to transmit the errantly cleared packet to;
that information was only available as part of the session state. By
contrast, stateful, packet filtering and non-overloaded NAT firewalls
are always able to send the packet to an internal machine once it
passes the filtering rules.

This last is part of what makes the little "DSL routers" such useful
weapons in the network security professional's arsenal.

Regards,
Bill Herrin

Jason Shearer wrote:
> Doesn't using the established allow any packet with ACK/RST set

Yes, as would be expected for legitimate return traffic for a TCP
connection initiated from a browser inside the firewall.

> and wouldn't you have to allow all high ports?

That's what the ">" is for. Cisco syntax "gt" (greater than).

One could also use reflexive access lists, which are much better
than static lists, although that takes you back to stateful.

It is possible to combine them both to achieve a mostly stateless
setup while still having better overall security.