PCMech Forums - View Single Post

Felix · 01-30-2002, 01:59 AM

I tried to explain Stateful Inspection above. It's when the firewall checks all traffic and only allows data packets to pass which belong to an outgoing connection.

Imagine an outgoing connection: Your browser sends a request for a web page to a server, maybe PC Mech. Thus it uses the HTTP protocol, which is indicated by using port 80. If a data packet comes in from the PC Mech server adressed to you, using port 80, it seems to be the answer to your request, right? (I don't know if there are more sophisticated tricks to decide wheter an answer belongs to a question went out before, or not.) Now, a day later, you're in a weekend with your mother in law, a data packet arrives with sender's IP same as PC Mech and recipient's IP is yours, using port 80. There is no reference to those IP adresses and port 80 at that time. Thus it must be an incoming connection. If you were the firewall - what would you do?

With FTP, things are a little more compicated since an FTP session uses an outgoing connection on port 20 and an incoming connection on port 21 (or the other way round, i'm not 100% sure). The firewall must handle the outgoing and the incoming connection belonging together, and refuse all other incoming connections. This outgoing / incoming thingy makes FTP a relatively risky protocol, which, however, is handled fine with today's firewalls.

A packet filter does just look to the sender's IP, recipient's IP and the port number and checks if parts of it or the whole combination is on the "black list" thus will trap the packet. But it can't decide wheter it belongs to an outgoing or an incoming connection. You know, like this thread, every conversation, even between computers, needs some sort of "question and answer" game. This means, (regarding our outgoing HTTP request mentioned above), the browser asks a question, the server sends an answer. This means there were packets sent from both your IP and the web server's IP, but it is still only an outgoing connection.

A "black box" is a term for, errr, just that - a black box. It has some inputs and some outputs but you can't see what happens inside, nor can you take influence to the inside stuff except the handles that are provided by the builder of the black box.

Example: A Disc Man or other CD player. There are some handles and knobs, a headphone plug, and a door to insert a CD. The output is music. That's it. Nothing else. You don't know exactly what happens inside.

The other concept is to make custom built items, such as a PC with a CD ROM drive, a sound card, and speakers. This allows you to highly customize the way a CD will be played, however, you can mess up almost every thing, while the black box player is foolproof.

That's what I meant: A "black box" style item is nearly foolproof, no matter it's a car, VCR, CD player, or firewall. A custom made item, specially when based on a PC, tends to fail every once in a while, mostly because it's puzzled together from functions bricks which finally led to an overblown design, even if not needed. This will kill your firewall. Or, say, what purpose has a CD player and a sound card in a firewall system?

See the picture?

Hope things are a bit more clear now... If not, repost.

01-30-2002, 01:59 AM	#24
Felix Member (10 bit) Join Date: Mar 1999 Location: Zurich, Switzerland Posts: 797	I tried to explain Stateful Inspection above. It's when the firewall checks all traffic and only allows data packets to pass which belong to an outgoing connection. Imagine an outgoing connection: Your browser sends a request for a web page to a server, maybe PC Mech. Thus it uses the HTTP protocol, which is indicated by using port 80. If a data packet comes in from the PC Mech server adressed to you, using port 80, it seems to be the answer to your request, right? (I don't know if there are more sophisticated tricks to decide wheter an answer belongs to a question went out before, or not.) Now, a day later, you're in a weekend with your mother in law, a data packet arrives with sender's IP same as PC Mech and recipient's IP is yours, using port 80. There is no reference to those IP adresses and port 80 at that time. Thus it must be an incoming connection. If you were the firewall - what would you do? With FTP, things are a little more compicated since an FTP session uses an outgoing connection on port 20 and an incoming connection on port 21 (or the other way round, i'm not 100% sure). The firewall must handle the outgoing and the incoming connection belonging together, and refuse all other incoming connections. This outgoing / incoming thingy makes FTP a relatively risky protocol, which, however, is handled fine with today's firewalls. A packet filter does just look to the sender's IP, recipient's IP and the port number and checks if parts of it or the whole combination is on the "black list" thus will trap the packet. But it can't decide wheter it belongs to an outgoing or an incoming connection. You know, like this thread, every conversation, even between computers, needs some sort of "question and answer" game. This means, (regarding our outgoing HTTP request mentioned above), the browser asks a question, the server sends an answer. This means there were packets sent from both your IP and the web server's IP, but it is still only an outgoing connection. A "black box" is a term for, errr, just that - a black box. It has some inputs and some outputs but you can't see what happens inside, nor can you take influence to the inside stuff except the handles that are provided by the builder of the black box. Example: A Disc Man or other CD player. There are some handles and knobs, a headphone plug, and a door to insert a CD. The output is music. That's it. Nothing else. You don't know exactly what happens inside. The other concept is to make custom built items, such as a PC with a CD ROM drive, a sound card, and speakers. This allows you to highly customize the way a CD will be played, however, you can mess up almost every thing, while the black box player is foolproof. That's what I meant: A "black box" style item is nearly foolproof, no matter it's a car, VCR, CD player, or firewall. A custom made item, specially when based on a PC, tends to fail every once in a while, mostly because it's puzzled together from functions bricks which finally led to an overblown design, even if not needed. This will kill your firewall. Or, say, what purpose has a CD player and a sound card in a firewall system? See the picture? Hope things are a bit more clear now... If not, repost.