Solved

question about how does non-statful firewall receiving incomming communications

Posted on 2011-09-02
15
493 Views
Last Modified: 2013-11-16
hi

i know that in statful firewall the comunication that initiated from inside are letting packet comming back from outside and allowing the packet to enter in HIGH port because is keep a state table of correct session.

my question is, how things work in non- statfull firewalls regarding incomming commiucation than trying to enter my network as RESPONSE to my requesion (meanning the same situation as i discribe in statful firewall, lets say i going to a web page and requeting data from the web server and the communication comming back to my router)

in statfull firewall i know that i dont need to open the hight port manually , however the destination port is in high port number, and the firewall let the packet to pass since he has a record that i started the connection.

but how things are working in non statfull firewall.

does the packet that comes as a reply to my requestion also have high port number in the destination? do i need to open the high port manually?

another question is, does most of the router / firewall today are statfull firewalls?

thanks
0
Comment
Question by:ymg800
  • 7
  • 6
15 Comments
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 36473202
Stateless Firewalls basically watch the traffic and compares the packets with the rules from its rules database.

does the packet that comes as a reply to my requestion also have high port number in the destination? do i need to open the high port manually?
Not quite. In an IOS ACL for example, you put in: permit tcp any host 1.2.3.4 established Thus allowing return traffic to pass through.

does most of the router / firewall today are statfull firewalls
Don't think so, these are the more professional (= expensive) ones. For example:  iptables from linux, default Windows (XP, vista, 7) firewalls are all stateless.
0
 

Author Comment

by:ymg800
ID: 36473291
so you saying that in  cisco (IOS is cisco os right?) u have one command that allow this and run this ones  

how about other firewalls , for exaple windows firewalle that u mention that is stateless, how does it except return trafic in tcp? i dont remmeber u have any definition of command that u need to do in order for it to work

thx
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 36473421
It's in Cisco IOS, that's correct.

It's not a command as such, but an option in an access list entry. Like:
access-list outside-in permit tcp any host 1.2.3.4 established

For windows, my guess is that it comes built in as an implicit rule.
0
 

Author Comment

by:ymg800
ID: 36473498
ok, so u say that in some firewalle this option already turn on by default, this makes me wonder why in my cissp studies they say that u need to specify Explicitly  to open the high port.

by the way, the communication comming back to a HIGHT port number in the destination IP right ?(which is my gateway and some hight number port?), for non statfull firewalle of courss ( or stateless :)  )
thx
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 36473611
ok, so u say that in some firewalle this option already turn on by default, this makes me wonder why in my cissp studies they say that u need to specify Explicitly  to open the high port.

Well I said I guess that's the case for windows. I normally keep away from that and disable it asap.
I'm curious how they exactly describe that in your study material then.

About the second, you're right. The communication source connects to a remote host using a well-known port like 80 from a high port (>1023) and the remote host connects back to that high port. You know, three way handshake and stuff.
0
 

Author Comment

by:ymg800
ID: 36473714
the it's a question, and i got the answer ok,

here is the question from the exsam:
 openning high-port ranges in a packet filltering firewall:

correct answer:
must be explicitly premitted for inbound traffic to allow tcp session

while there is another question for statfull firewall:

openning high port rang in statful firewall:

correct answer:

is not necessary to explicitly refer to high-port in this type of firewall

well, i dont remmeber seeing any firewalle that need to be explicitly  defined for high ports, but in the other hand, i didnt saw alot of firewalls :)
0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 
LVL 35

Accepted Solution

by:
Ernie Beek earned 500 total points
ID: 36473755
Ah, well that is what you do with:
access-list outside-in permit tcp any host 1.2.3.4 established
You explicitly permit return traffic (SYN-ACK) from an outgoing request.
Only you don't explicitly define what ports (because you don't need to).
0
 

Author Comment

by:ymg800
ID: 36473794
well that is true for ciso, guess other vendor have simillar thing or someting...
but since nobody gives any input for other products (seems like u are the only one answring...)

i will close this question if no furture input about other vendors and the stateless firewalles...

thanks alot for helping erniebeek!! ( the point will come shortlly of course : ) )
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 36473806
No problem, glad I could help you (in a certain way :)
0
 

Author Comment

by:ymg800
ID: 36473837
u help alot!! thanks!!
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 36501412
Hi ymg800.

Is there anything else you need to know?
0
 

Author Comment

by:ymg800
ID: 36521234
yes, please check my last post:

"well that is true for ciso, guess other vendor have simillar thing or someting...
but since nobody gives any input for other products (seems like u are the only one answring...)

i will close this question if no furture input about other vendors and the stateless firewalles...:"

the question is if u need to specifiy direcly to open high port of return TCP package in statless firewall,

erniebeek bring example regarding cisco, but what about other vendors?
0
 
LVL 35

Assisted Solution

by:Ernie Beek
Ernie Beek earned 500 total points
ID: 36521317
Ah, you're right.
Let's see if I can help you a bit more.

For example iptables, to allow extablished traffic:
https://help.ubuntu.com/community/IptablesHowTo#Allowing_Established_Sessions
This is from an ubuntu forum but the idea is the same for other flavors of linux.

Windows is using an application based firewall. So you define the application which is allowed through the firewall. windows has pre-configured sets of rules per application that defines which ports the application is using for incoming and outgoing traffic.
http://en.wikipedia.org/wiki/Windows_Firewall
http://en.wikipedia.org/wiki/Windows_Filtering_Platform
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Managing 24/7 IT Operations is a hands-on job and indeed a difficult one. Over the years I have found some simple tips and techniques to increase the efficiency of the overall operations. The core concept has always been on continuous improvement; a…
PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now