Re: need for stateful packet inspection

[Chris Brenton <cbrenton@chrisbrenton.org>]

On Sun, 2004-05-23 at 18:33, Randolph Jones wrote:
>
> I am considering buying a linksys router. It seems to have statefull 
> packet inspection that blocks nonmatching incoming packets.

Stateful inspection is implemented on a per application basis, so
support for SI may mean that FTP gets inspected but not Telnet, DNS,
etc., etc.

Stateful packet filtering is implemented on a per transport basis, so
TCP and UDP may be handled but not ICMP, GRE, AH, etc., etc.

So you need to look a bit more closely at the device beyond whether it
supports SI or not. You have to see where it has been implemented.

> If I do not have a server exposed to the internet, do I need any
> packet inspection other than checking that all incoming packets match an 
> earlier outgoing request?

And the answer is.... "it depends". ;-)

FTP tends to "break" if you are not inspecting the payload and looking
for the port negotiations. Many devices get around this by only
supporting passive mode, but that requires you to open up all upper
ports. This is a great way to ensure that call home Trojans can get out
as well. Same is true for other complex protocols such as DCOM, Real
Audio, etc. etc. 

Also, you need SI to handle ICMP errors correctly. Type 3's and type
11's seem to be the covert channel of choice these days as many
firewalls let them blow right though. 

So if the Linksys supports all of the above, you are cool. If it does
not but you don't care about any of the above, you are cool as well.
Otherwise, you may want to look into getting something more robust.

I have no idea what the Linksys looks like these days. I know a few
years back it was trivial to use loose source route to communicate with
hosts on the protected side of the device. You may want to test this.

HTH,
Chris