need for stateful packet inspection

need for stateful packet inspection

[Randolph Jones]

I am ignorant re iptables.

I am considering buying a linksys router. It seems to have statefull 
packet inspection that blocks nonmatching incoming packets.

If I do not have a server exposed to the internet, do I need any
packet inspection other than checking that all incoming packets match an 
earlier outgoing request?

TIA
rfjones

Re: need for stateful packet inspection

[John A. Sullivan III]

On Sun, 2004-05-23 at 18:33, Randolph Jones wrote:
> I am ignorant re iptables.
> 
> I am considering buying a linksys router. It seems to have statefull 
> packet inspection that blocks nonmatching incoming packets.
> 
> If I do not have a server exposed to the internet, do I need any
> packet inspection other than checking that all incoming packets match an 
> earlier outgoing request?
> 
> TIA
> rfjones
In short, no.  If your needs are minimal and you do not need to managed
multiple devices a linksys may be fine for you.  I cannot speak to the
quality of Linksys; I have not used them.  However, not all stateful
inspection engines are created equal.  Consider what functionality you
may need in the future.  Consider how important reliability is, i.e., 
if the device occasionally fails and needs to be reset, is that a
problem. However, for very simple needs, a Linksys will probably be
fine.
Does anyone else have any thoughts, comments or insults?
-- 
John A. Sullivan III
Chief Technology Officer
Nexus Management
+1 207-985-7880
john.sullivan@nexusmgmt.com
---
If you are interested in helping to develop a GPL enterprise class
VPN/Firewall/Security device management console, please visit
http://iscs.sourceforge.net 

Re: need for stateful packet inspection

[Chris Brenton]

On Sun, 2004-05-23 at 18:33, Randolph Jones wrote:
>
> I am considering buying a linksys router. It seems to have statefull 
> packet inspection that blocks nonmatching incoming packets.

Stateful inspection is implemented on a per application basis, so
support for SI may mean that FTP gets inspected but not Telnet, DNS,
etc., etc.

Stateful packet filtering is implemented on a per transport basis, so
TCP and UDP may be handled but not ICMP, GRE, AH, etc., etc.

So you need to look a bit more closely at the device beyond whether it
supports SI or not. You have to see where it has been implemented.

> If I do not have a server exposed to the internet, do I need any
> packet inspection other than checking that all incoming packets match an 
> earlier outgoing request?

And the answer is.... "it depends". ;-)

FTP tends to "break" if you are not inspecting the payload and looking
for the port negotiations. Many devices get around this by only
supporting passive mode, but that requires you to open up all upper
ports. This is a great way to ensure that call home Trojans can get out
as well. Same is true for other complex protocols such as DCOM, Real
Audio, etc. etc. 

Also, you need SI to handle ICMP errors correctly. Type 3's and type
11's seem to be the covert channel of choice these days as many
firewalls let them blow right though. 

So if the Linksys supports all of the above, you are cool. If it does
not but you don't care about any of the above, you are cool as well.
Otherwise, you may want to look into getting something more robust.

I have no idea what the Linksys looks like these days. I know a few
years back it was trivial to use loose source route to communicate with
hosts on the protected side of the device. You may want to test this.

HTH,
Chris