Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Assymetric Routing / Statefull Inspection Firewall

  • From: Steve Gibbard
  • Date: Wed Mar 17 03:06:22 2004

On Tue, 16 Mar 2004 wrote:

> If you are asking for stateful filtering for a firewall that sees only
> one-way conversation, it does not exist and cannot exist, by definition.

On a purely theoretical level, I'll disagree.

A stateful inspection firewall needs to know about the packets going in
one direction to do something intelligent with the packets going in one
direction.  That does not mean the firewall needs to see all the packets,
just that it needs to know about them.

Systems for communicating information about flows and state between
firewalls exist.  Cisco does this on the PIXes for redundant firewalls, so
that a fail-over can happen without connections being dropped.  I assume
other firewall manufacturers do that in this context as well.

What would be needed in this case would be to have the firewalls at the
various different network entry points share information about connection
state with eachother.  This sounds pretty easy, but whether the
information sharing would happen fast enough to process return traffic on
a new connection is a question I don't know the answer to.  I don't know
if anybody is making firewalls that actually do this.


Discussion Communities

About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home

Merit Network, Inc.