[fw-wiz] Firewalls that generate new packets..

Marcus J. Ranum mjr at ranum.com
Sun Nov 25 21:41:29 EST 2007

One of the fun questions I used to ask my firewalls tutorial
attendees (back in the day) is:
What is a stateful inspection firewall? I.e.: what does it DO?

The answers are usually illuminating. Nobody seems to
actually know. But after some hemming and hawwing you
can often converge on something like:
"A stateful firewall builds virtual session state based on its
permission tables and tracks packets back and forth."
That opens some fun questions like: "What does it apply
to do this tracking?" And the usual answer is something
- source
- destination
- source port
- destination port
- and _MAYBE_ sequence number (or maybe just a 1 in stream->permit)
What about packets that are out of window? What's the size of the window?
How is the window computed? What about packets out of sequence? What
about fragments? What about overlapping packet fragments?   Well, the
answers to those questions seem fairly hard to get, for virtually all of the
commercial firewalls. But, gee, the answers to those questions (which would
comfortably fit on a post-it note) are the entire "design" of a "stateful
firewall" right there.

Isn't that kind of amazing? People look at these "stateful firewalls" as
if they're somehow doing something IMPORTANT but they're basically
a router with "established" and a kind of "synthetic established" for UDP.
People, that's barely a security device at all - 99% of what you're
getting is the "firewall" sticker on the front.

The value these devices offer above and beyond router ACLs is so
ridiculously marginal that there's no justification in my mind for their
additional cost. Sure, they "do something" with UDP, but the significant
stuff you'll bump into with UDP is all layer-7 regarding DNS. In fact,
the value proposition of a "stateful firewall" is effectively zero and you
can replace it with some layer-7 hardening and a router with port-level
ACLs. Note that layer-7 hardening is already required - which is a
darned good thing because "stateful firewalls" do - well - what DO
they do - at layer-7? Layer-7 is where all the interesting attacks are,
nowadays, right?

I submit to you that the reason it's hard to find out what a "stateful
firewall" actually does is because they do so little that it is positively

Not to let the proxies off the hook - most proxies are also mysterious
black boxes that work at layer-7 and "do something" - but, what?
The original value of the proxy concept was not to have a proxy
that works cleanly and easily with everything. The original value of
the proxy concept was protocol minimization. You only need
5 operations to send me an SMTP email message - so those are
the 5 operations you get, and nothing more. That whole model
started to fall apart in the mid 1990s when there was a plethora
of new bad software that implemented the existing bad protocols
in new bad ways. And, of course, there are the standards pukes,
constantly working to add new important bad options to existing
bad software, so as to make the firewalls increasingly complex.
The market reality of the firewall industry has forced the proxy
vendors (I guess it's really Secure Computing, now...) to compete
with the "stateful inspection" crap by handling more protocol
options and variant forms. Too bad.

Security is such a disaster because we're fighting and losing
a battle with software complexity and extravagantly stupid
software specifications. Firewalls, rather than acting as bastions
against the complexity, have "adapted" by succumbing to
that complexity themselves.

In another 10 years, if I'm still around, I'll probably work
up the energy for an "I told you so" posting. But I've done
that so many times I'm getting as tired of doing it as you
guys probably are of hearing it.


More information about the firewall-wizards mailing list