11-10-2008 03:13 PM
I was wondering what would be the difference between Security Policies vs. Stateless Firewall? (besides policies allowing scheduling and IDS).
Isnt it so that the stateless firewall can still be configured to allow 'established' connections where it can track sessions and connections?
What I am looking is what advantage does security policies provide where a stateless firewall can not? I already reviewed:
where it says:
"A stateless firewall filter, often called a firewall filter or access control list (ACL), statically evaluates packet contents. In contrast, a stateful firewall filter uses connection state information derived from past communications and other applications to make dynamic control decisions."
However since stateless firewall can allow established connections also, isnt it making dynamic control decisions?
Perhaps some pointers to some useful information about the differences would be helpful. If anybody knows?
11-10-2008 10:32 PM
There are several advantages to using a static IP filter. It has a combination of low overhead and high throughput. Stateless IP filters are very inexpensive, and many are free. They are included with router configuration software or are included with most Open Source operating systems. Being that a static IP filter does little more than simply route traffic, it is very good for traffic management.
On the other hand, there are quite a few disadvantages to using a static IP filter, especially with regard to security. Static IP filters allow direct connections from the external network to hosts on the internal network. Static filters can become cumbersome to maintain in complex environments. Static filters are vulnerable to IP spoofing attacks, unless they have been specifically configured to prevent this. All holes in the firewall are permanent; either a hole exists or it doesn't, there is no opening and closing connections based on outside criteria. And lastly, static IP filters offer no form of authentication.
As you can see, static packet filtering does not offer enough in the way of security to be the only gateway between an internal network and the Internet. Realizing the deficiencies of static filtering, developers had to come up with more dynamic or "intelligent" solutions. Enter stateful packet filtering.
The biggest difference between simple IP filtering and stateful IP filtering is that simple IP filters have no recollection of packets that have already passed through the filter. Every packet is handled on an individual basis. Previously forwarded packets belonging to a connection have no bearing on the filter's decision to forward or drop the packet.
There are actually two classes of stateful packet filtering. The first is based on a pure packet filtering environment. The second involves application proxies. A proxy acts as an intelligent intermediary between hosts on the internal network and hosts on the external network.
Application proxy servers (a.k.a application gateways), when properly configured, are probably the most intelligent firewall or gateway that you can have. Application proxies operate at the application layer of the OSI model. This allows proxies to make much more intelligent decisions about what traffic is allowed to pass.
The tradeoff, when compared to traditional packet filtering, is the overhead of running an application gateway. An application proxy makes two connections; one to the machine on the outside of the gateway and a seperate connection to the machine on the inside of the gateway. Additionally, the application gateway processes authentication on behalf of the machine on the internal network. Therefore, the demands on the machine are significantly higher than those associated with a typical firewall.
Another problem associated with application gateways is the cost. Most application gateway solutions involve the use of expensive, proprietary software and/or hardware. Many advanced stateful packet filters are Open Source. In fact, one of the most common uses for Linux is to build a low cost stateful packet filtering firewall. Being that packet filtering with Linux is handled at the kernel level, the overhead is very low. I have heard of early Pentium class machines with minimal memory being resurrected as 100Mbps routers.
There are even projects devoted to running such systems with no hard drives. The machine is booted from a floppy that contains the kernel and all of the configuration information. Once the machine is up and running, the floppy is removed. This can be a very secure, very low cost solution for many small offices and home offices.
On the other hand, a stateful packet filter is much less resource intensive than an application gateway, while not being completely unintelligent.
Stateful packet filtering does not necessarily address all of the problems with static filtering. Authentication may still not be addressed, however stateful packet filtering does add a new dimension of security to the otherwise inadequate security of static packet filtering.
11-12-2008 12:28 AM - edited 11-12-2008 12:29 AM
Raheel, I think more and get confused more
1- The text says ' Static filters are vulnerable to IP spoofing attacks, unless they have been specifically configured to prevent this. '
Wouldnt it be possible to use static filters on interfaces but create a global zone which has a 'screen' which stops spoofing?
2- ' All holes in the firewall are permanent; either a hole exists or it doesn't, there is no opening and closing connections based on outside criteria. '
Can you give an example to this? For example if I have made a policy to allow HTTP(port 80) traffic into the zone, how is the stateful firewall close or open the connections based on outside criteria? (isnt it always open?)
One can still use the screens the same way as in (1), no?
Also, by using established connections feature, one can allow from outside to inside, lets say only port 80 but when a connection is initiated from inside to outside, the data can be allowed to come in to any port since connection would have been established.
3- "Previously forwarded packets belonging to a connection have no bearing on the filter's decision to forward or drop the packet."
Isnt this what the established connections feature do in static filters?
Sorry about the questions if they sound stupid. I guess I am sometimes very picky. Actually, security policies sound great and I would like to use them, the problem is that as far as I know, I would need to manage 100s of policies if I have 5-6 zones in my network. Which kind of would be a nightmare so I am a little bit confused. Because using static firewall rules, I can setup an outgoing rule on an interface and drop a pile of stuff easily. With security policies, I need a policy (actually same policy) from every other zone to the zone which has the interface