Reply to post: Stateless firewalls are the core problem

US-Cert alert! Thanks to a massive bug, VPN now stands for 'Vigorously Pwned Nodes'

-tim
Facepalm

Stateless firewalls are the core problem

Most so called stateful firewalls only look at TCP state so if the packet says its not new, it gets handed off through the firewall. Things like VPNs and VOIP tend to use stateless protocols so most firewalls don't do a proper stateful firewall with those packets. Most VPN software inserts packets on the trusted side of firewalls so there will be no end of security issues. Add in the fact that nearly no one checks for IPv6 even though it is on for nearly every bit of hardware around these days mean the old days of Untrusted/DMV/Trust network design was obsolete two decades ago. A modern firewall must be truly stateful (based on its own idea of state, not bits in the packet) and zone based (using names for groups of interfaces no matter what the ip addresses or vlan) or else these issues will keep showing up.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

SUBSCRIBE TO OUR WEEKLY TECH NEWSLETTER

Biting the hand that feeds IT © 1998–2021