I don't need no stinking firewall!

William Herrin herrin-nanog at dirtside.com
Tue Jan 5 21:44:31 UTC 2010

On Tue, Jan 5, 2010 at 3:16 PM, Brian Johnson <bjohnson at drtel.com> wrote:
> I have my own idea of what a firewall is and what it does. I also
> understand what statefull packet inspection is and what it does. Given
> this information, and not prejudging any responses, exactly what is a
> firewall for and when is statefull inspection useful?

A firewall is anything that examines IP packets in-line for the
purpose of discarding undesirable packets before they can be
interpreted by the transport layer protocol (e.g. TCP) on the endpoint

A firewall is usually a computer filling in the same slot as a router
in a network topology capable of discarding packets before they can
reach the endpoint computer at all. In some cases though, a firewall
may be a separate piece of software on the same computer sending or
receiving the packet.

The purpose of the firewall is to permit the protected equipment to
operate with a less thorough (hence less expensive) attention to the
network security process. Can't really afford to have a dedicated
network security guru for every dozen desktops playing big brother
with what software the users are using so you focus your attention on
the border instead.

Stateful inspection is useful when you want the firewall to discard
any packets which are not part of a communications session that the
firewall understands and has approved. By contrast, packet filtering
will only discard those packets explicitly deemed bad.

At a practical level, the above distinction can be a noop. Internal
machines are usually incapable of acting on packets the packet filter
will unintentionally pass, such as IP fragments without the first

Stateful address-overloaded NAT offers additional protection over
stateful inspection alone in that the firewall naturally "fails
closed." That is, a malfunctioning firewall will drop acceptable
packets rather than allow bad ones. This is "defense in depth." An
error in the filtering process still leaves the firewall with no idea
which internal machine to transmit the errantly cleared packet to;
that information was only available as part of the session state. By
contrast, stateful, packet filtering and non-overloaded NAT firewalls
are always able to send the packet to an internal machine once it
passes the filtering rules.

This last is part of what makes the little "DSL routers" such useful
weapons in the network security professional's arsenal.

Bill Herrin

William D. Herrin ................ herrin at dirtside.com  bill at herrin.us
3005 Crane Dr. ...................... Web: <http://bill.herrin.us/>
Falls Church, VA 22042-3004

More information about the NANOG mailing list