Network Security

Hello Experts,

I am kinda confused with some terms. Please clarify the following:

stateless packet filtering VS stateful packet filtering



Thanks for all your help
Who is Participating?
kevinf40Connect With a Mentor Commented:
Hi elyrodriguez

Packet filtering firewalls can not really be considered IDS/IPS systems (although rich's comment regarding log monitoring is perfectly valid).

A packet filtering firewall apply rules to connections - e.g. anyone can connect to server X on port 80.  But they do not have any intelligence (in general although many firewalls do now allow for some application intelligence) about what is sent to that port.  So although you may only be able to connect to the web server on port 80 you can send any data you like to that port - hence it is still vulnerable to attack.

An IPS / IDS device will use a combination of filters and / or heuristics to apply intelligence to what traffic is actually allowed. So continuing the above example if you put an IPS device behind the firewall this would then monitor the port 80 traffic to the web server and either alert or block anything suspicious (e.g worms etc) - thus offering further protection for your webserver.

Personally (I can't comment specifically on snort) I prefer in-line IPS devices as they can actually block traffic rather than relying on either changing firewall rules or sending resets.

As both IDS / IPS devices suffer from false positives so it is usual to configure them to monitor / alert only initially (especially IPS) in order to get a sensible baseline before allowing them to perform further actions.

Some vendors are now offering devices that offer both firewall and IDS functionality in one box.  The next  stage of IDS / IPS is building it into core switches thus allowing entire internal networks to be protected by one device - although these are currently in their infancy, and rather expensive.

IDS / IPS devices also offer value used on internal networks - as well as helping prevent the spread of malware, they can also spot many configuration errors such as blank sa passwords, use of banned protocols(e.g. we don't allow ftp or telnet on our network).


elyrodriguezAuthor Commented:
Ok, thanks for the info. However, I got few more quesitons. Can packet filtering be considered as an IDS system? If not, can it be configured into one? What is the difference in the way they filter? Which one is more reliable?
Easily Design & Build Your Next Website

Squarespace’s all-in-one platform gives you everything you need to express yourself creatively online, whether it is with a domain, website, or online store. Get started with your free trial today, and when ready, take 10% off your first purchase with offer code 'EXPERTS'.

Rich RumbleConnect With a Mentor Security SamuraiCommented:
IDS is intrusion detection, and if your firewall logs are being looked through and you get alerted to certain traffic it's blocked or allowed, then it's an IDS. If you don't have the log's checked with a program or manually, then it's not much of any acronym. An IPS, intrusion PREVENTION system is one that blocks. Detection alerts you to trouble, or the lack there of, but doesn't act. IDS's like Snort, have plug-in's or add on's like SnortSAM that will see the alert, and then issue commands to your firewall to block that traffic for a specified time, seconds to forever depening on your settings.

IDS/IPS systems are both just as vlunerable to false-positives and false negitives, it depends on the rule that is written. Snort rules are community rule, eveyone across the globe contributes and writes rules for snort, some write better rules than others, some rules that are well written develop false-postives later down the road. (there are lots of links to doc's that apply to other IDS's aswell, like the IDS evasion docs)

Snort can also operate in "in-line" mode that allows it to use IPtables to block traffic, snortsam is however better suited in my opinion.
ahoffmannConnect With a Mentor Commented:
> Can packet filtering be considered as an IDS system?

> If not, can it be configured into one?
yes, no, depends
configuerung iptables with logging, and the reading the logs might be considered an IDS
> What is the difference in the way they filter?
IDS do *not* filter

> Which one is more reliable?
both, none, depends
I'd vote for a firewall ...
bbaoConnect With a Mentor IT ConsultantCommented:
umm... it seems that several related concepts are confusing you. ok, let me explain them:

a packet filtering system is to be used at the frontline to defend your territory. it actually executes your defence plan. it recognizes the incoming people (the incoming packets) to determine your partners (legitimate requests) or your enemies (malicious requests), according to the rules defined in your defence plan. then do actions: for friends, let them in. for enemies, deport them (refuse the requests) or kill them (drop the packets). the actions depend on your defence plan (such as, to explicitly fight some or to implicitly confuse some).

a logging system is used to completely or partly record what actually have happened or is happening at the frontline, in detail or in summary, depending the battle types and your enemies. e.g. who has been allowed in as friends (might be enemies actually if your defence plan has defect or is wrong), who has been killed or refused, who was out. anything possibly used for analysis should be recorded.

an IDS is used to monitor the latest changes in the logs and determine any abnormal behaviors, based on some patterns or experience. 1) it needs more computing resources and consume more time 2) its outcomes are not actions (allow in or not) most are are suggestions. some IDSs may give commands to the packet filtering system at the frontline, to apply/change/stop a rule/policy, only if the conclusion of IDS is very sure.

humans should involve in the defence system and have the final decisions. IDS is just a tool to aid the involved people. the commander is a man, the IDS is the commander's intelligent department. the commander reviews the everything, and modifies the defence plan if necessary. then the frontline executes it.

briefly, the concepts are different things though related. they need to be connected to work together, in a closed loop: plan, do, check, action (PDCA).

hope it helps,
elyrodriguezAuthor Commented:
thanks for the detailed explanations.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.