Importance of Stateful Firewalls. . .

Discussion in 'other firewalls' started by walking paradox, Feb 19, 2007.

Thread Status:
Not open for further replies.
Page 2 of 2
  1. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    It was the "Attack Plugin" that was reporting such packets (sent down an open connection) as xmas scan/SYN RST packets as connection attempts. A packet sent with all flags set, was intercepted by the "Attack plugin" as a "Rst attack".
    As these intercepted packet where part of an already established connection, then the SPI is not filtering these, it is the "Attack Plugin"
     
    Stem, Mar 4, 2007
    #26
  2. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    I think the plugin will block all incoming packets with the Syn flag as connection attempts and any with the Rst flag as a "Rst Attack" so it wouldn't identify Kamikaze/Xmas packets (all flags set) specifically.

    Obviously, this plugin does need to be disabled (or at least, trimmed down in the type of attacks detected) if you wish to run a server of any description (including most filesharing applications).
     
    Paranoid2000, Mar 4, 2007
    #27
  3. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    I was just trying to work out why, from an already established connection that the "Attack Plugin" was intercepting these. It does look like all packets are passed through this Plugin before being passed to the SPI.
     
    Stem, Mar 4, 2007
    #28
  4. walking paradox

    walking paradox Registered Member

    Joined:
    Feb 9, 2007
    Posts:
    234
    So does that mean that SPI is only really essential on TCP protocol, and that SPI on UDP and ICMP is 'largely irrelevant for personal users'? And by 'largely irrelevant for personal users,' do you mean it provides little or no additional security protection for personal users?
    So virtually all software firewalls have at least basic SPI?

    Also, does the varying implementations of SPI by firewalls, even when considering just basic SPI, potentially render one more effective and secure than another?
     
    walking paradox, Mar 4, 2007
    #29
  5. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    Because (a) the plugins work independently from the rules engine (i.e. Attack Detection has no knowledge of what packets belong to established connections) and (b) as you note, plugins get to process packets before the rules engine (covered in the Outpost Rules Processing Order FAQ).

    In this case though, the results are beneficial - an attack is an attack regardless of whether it uses an established connection or not.
     
    Paranoid2000, Mar 5, 2007
    #30
  6. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Well as we are talking of SPI, and not plugins, I will try later with the plugin removed, so I will be checking the SPI engine.
     
    Stem, Mar 5, 2007
    #31
Page 2 of 2
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...