Silicon Investor (SI) -- The First Internet Community

STOCKTALK

We've detected that you're using an ad content blocking browser plug-in or feature. Ads provide a critical source of revenue to the continued operation of Silicon Investor. We ask that you disable ad blocking while on Silicon Investor in the best interests of our community. If you are not using an ad blocker but are still receiving this message, make sure your browser's tracking protection is set to the 'standard' level.

Pastimes : Dream Machine ( Build your own PC ) -- Ignore unavailable to you. Want to Upgrade?

To: Nick Morvay who wrote (12742)	9/25/2001 3:25:11 PM
From: Jon Tara	Read Replies (1) \| Respond to of 14778

Stateful inspection is different from packet filtering. Packet filtering is simply examining each packet, and permitting or denying it based on information contained in the headers. Typically, you use packet filters to permit or deny specific protocols or sockets. Stateful inspection goes further, and follows "sessions". For example, when your web browser contacts a web server, it does this on port 80. So, you have traffic outbound to port 80 on the web server. It will get through your firewall if you allow outbound traffic for port 80. Your web browser obtains a local socket (1024-65535) and tells the web server where to send the response. Say, port 47561. (This is also true for FTP and a number of other protocols.) This port number is typically different for each request. To receive the web page, your computer has to receive data on port 47561. How do you do this with packet filtering? You have to allow traffic in on ports 1024-65535. That is a pretty big hole. It opens to door for "spoofing" - that is, somebody else could supply a response to an HTTP request that you made. There is one simple enhancement that is typically used with packet filtering, which allows you to require that the "established" bit be set. So, you can reject any packets where that bit isn't set. It isn't set unless it is a response to a request. But, then again, a spoofer could just set the bit... A stateful-inspection firewall will establish a "session" when you send out the HTTP request to the remote web server on port 80. It makes a notation in a table that you are expecting a response on port 47561. It will then open-up port 47561 for the response, and the response must have been sent by the IP address that you sent the request to. I use a Netscreen 5XP. netscreen.com They are about $500, which includes VPN capability, which I use. Prices have been coming down, and I think there are some stateful inspection firewalls (without VPN) on the market now around $200. I beleive that SonicWall offers their product at a somewhat reduced price without the VPN.