Solved

Firewall Question

Posted on 2002-03-08
4
188 Views
Last Modified: 2013-11-16
I have a quick question re: port issues on a Stateful Inspection firewall. Ie fw-1

(for simplistic reasons i am assuming no NAT!)
Ok i am on my companys LAN and want to connect to for eg www.bbc.com, I understand that I make a connection to their web server on TCP port 80. And their web server connects back to my machine on a random high end port.

My question is how do FW rules apply... to this.. ie let out traffic for port 80 and anything back in????????? (ie to connect to my machine on the high range port) therefore do the rules apply goingout/coming in? or does the firewall dynamically open the port coming back in?

Thanks
0
Comment
Question by:dbrannigan
  • 2
4 Comments
 
LVL 8

Accepted Solution

by:
scraig84 earned 100 total points
ID: 6850389
Your last statement is correct.  The firewall will see that a TCP SYN packet has gone out from a particular source port on the inside to a particular destination port on the outside.  When the ACK packet comes back with the ports and addresses reversed (source now destination and vice-versa), the firewall will let that information flow.  It is statefull as it will watch the state of the connection - it will not allow a server on the outside to just randomly send packets with a source of 80 to any inside port.  Also, once the TCP session is completed, the firewall re-blocks the ports.  This way, somebody watching the session can't come in later spoofing the original destination IP address and ports and establish a connection with the inside.  The firewall will know that the session is over and not allow the communication.

Even filters on routers can do this to some degree, for example using the "established" keyword on a Cisco ACL.

Hope this helps and made some sense!
0
 
LVL 16

Expert Comment

by:SteveJ
ID: 6850419
What scraig84 is correct. I would add that some "stateful" inspection engines will incorrectly allow a packet through just because an ACK bit is set on the assumption that it is a response packet. I believe this was a problem with the "established" keyword in Cisco ACLs. I could be wrong. I'm CERTAIN someone will correct me.

Good luck.
Steve
0
 
LVL 8

Expert Comment

by:scraig84
ID: 6850436
You are wrong wrong wrong wrong!!! :)

Actually, I do think Cisco had some problems with that.  They did create a new way to create this scenario that was supposed to be better, but I forget what its called (dynamic ACL?) or how to do it.  It was much messier and had a lot more config lines is all I can remember.  In my opinion if you are pretending that a router ACL is good enough for security, you're asking for a world of hurt anyway, so why care?
0
 

Author Comment

by:dbrannigan
ID: 6850479
excellent as always scraig84! Cheers
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Access shared drive during VPN session 9 63
Route summarization 9 44
Printer Settings 3 63
SQL Server Communications Audit 5 25
To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
Short answer to this question: there is no effective WiFi manager in iOS devices as seen in Windows WiFi or Macbook OSx WiFi management, but this article will try and provide some amicable solutions to better suite your needs.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now