Stateful firewalls and dynamic routing question.

Are stateful firewalls problematic when dynamic routing is used? I'm
guessing that when the network topology changes while an existing
connection exists in the state table, this would cause problems as the
source IP has the potential of changing and thus causing the existing
connection to drop. I am not sure what the solution to this would be.
The only one I can think of is to ensure that the firewall policy
contains all possible source IP addresses for each possible network
topology change? Am I correct at all, or way off? Any tips would be
appreciated! Thx.

abstractclass wrote:

> Are stateful firewalls problematic when dynamic routing is used?

Explain.
Dynamic routing on the firewall box, or next to it ?

It could be a problem when you run a routing protocol ON the firewall
box, yes, but then I would not advise anyone to do that.
And the main reason that it could be a problem is because a stateful
firewall generally also does address and/or port translation.

For a pure firewall, no problems exist with respect to routing - dynamic
or otherwise.
In fact, that's where packet filtering is most commonly implemented - on
the edge routers (that have to do dynamic routing, in order for you to
surf the 'net.)

> I'm
> guessing that when the network topology changes while an existing
> connection exists in the state table, this would cause problems as the
> source IP has the potential of changing and thus causing the existing
> connection to drop.

Why would the source IP change ?
The one thing IP routing always keeps intact are the source and
destination addresses - it obviously has to, for your traffic to arrive
*at all*.

A TCP/IP network is what's known as a packet-switching network; there
may be temporary virtual circuits but at no time are there physical
connections between remote endpoints - ever.
There is never a direct, fixed connection between any hosts not on the
same physical subnet, which works on a lower layer than IP does.

Methinks you'd be best helped by a quick readup on IP routing, and the
(many) differences between routing and switching.

> I am not sure what the solution to this would be.
> The only one I can think of is to ensure that the firewall policy
> contains all possible source IP addresses for each possible network
> topology change? Am I correct at all, or way off?

Way off, I'd say


J.

thank you for the reply. i'm still a little confused. does a firewall
do physical MAC address translation? i can see where this might be a
problem as the source physical address would change if it came from
another router due to topology change. i'm reading my books but can't
find an answer. it just shows that a firewall looks at the source/dest
IP addresses. sorry, i'm a newbie to networking. thx.

On Oct 15, 5:19 pm, Jeroen Geilman <n...@home.no> wrote:
> abstractclass wrote:
> > Are stateful firewalls problematic when dynamic routing is used?Explain.
> Dynamic routing on the firewall box, or next to it ?
>
> It could be a problem when you run a routing protocol ON the firewall
> box, yes, but then I would not advise anyone to do that.
> And the main reason that it could be a problem is because a stateful
> firewall generally also does address and/or port translation.
>
> For a pure firewall, no problems exist with respect to routing - dynamic
> or otherwise.
> In fact, that's where packet filtering is most commonly implemented - on
> the edge routers (that have to do dynamic routing, in order for you to
> surf the 'net.)
>
> > I'm
> > guessing that when the network topology changes while an existing
> > connection exists in the state table, this would cause problems as the
> > source IP has the potential of changing and thus causing the existing
> > connection to drop.Why would the source IP change ?
> The one thing IP routing always keeps intact are the source and
> destination addresses - it obviously has to, for your traffic to arrive
> *at all*.
>
> A TCP/IP network is what's known as a packet-switching network; there
> may be temporary virtual circuits but at no time are there physical
> connections between remote endpoints - ever.
> There is never a direct, fixed connection between any hosts not on the
> same physical subnet, which works on a lower layer than IP does.
>
> Methinks you'd be best helped by a quick readup on IP routing, and the
> (many) differences between routing and switching.
>
> > I am not sure what the solution to this would be.
> > The only one I can think of is to ensure that the firewall policy
> > contains all possible source IP addresses for each possible network
> > topology change? Am I correct at all, or way off?Way off, I'd say
>
> J.

abstractclass wrote:
> thank you for the reply. i'm still a little confused. does a firewall
> do physical MAC address translation?

MAC addresses are never translated, since it's pointless (unless you're
working with a big iron like a Cisco enterprise-class Layer 3 switch,
which can do *anything*...)

Where does this confusion of MAC and IP addressing come from ?
They are very, very different, and the only reason they are ever
mentioned in the same sentence is when talking about physical
connections (AKA network interfaces.)

> i can see where this might be a
> problem as the source physical address would change if it came from
> another router due to topology change.

Actually, no.
The source MAC address of any packet that arrives at your router will
*always* be the MAC address of the next router.
Unless you are an ISP and/or have multiple direct Internet connections,
this will always be the same address.

So it's completely useless in determining the actual origin of the
packet - hence IP.

> i'm reading my books but can't
> find an answer. it just shows that a firewall looks at the source/dest
> IP addresses. sorry, i'm a newbie to networking. thx.

*IP* addresses, yes.
See above re: confusion.


J.

This is what I understand so far:

A stateful firewall looks at an incoming packet, compares the IP and
ports to its ACL and logs the source & destination IP and source &
destination port # of an incoming connection in its state table to
allow an connection to enter the network.

Dynamic routing causes the routing of packets to change based on the
network traffic load etc., yet the src/dest IP address never change in
these packets, even if the routing should change.

Looking at those two facts, I still don't see how dynamic routing can
cause problems for a stateful firewall if the firewall only looks at IP
and port numbers. I can't find anything in my book or on the internet
that mentions anything about problems with dynamic routing and stateful
firewalls.


On Oct 16, 3:48 pm, Jeroen Geilman <n...@home.no> wrote:
> abstractclass wrote:
> > thank you for the reply. i'm still a little confused. does a firewall
> > do physical MAC address translation?MAC addresses are never translated, since it's pointless (unless you're
> working with a big iron like a Cisco enterprise-class Layer 3 switch,
> which can do *anything*...)
>
> Where does this confusion of MAC and IP addressing come from ?
> They are very, very different, and the only reason they are ever
> mentioned in the same sentence is when talking about physical
> connections (AKA network interfaces.)
>
> > i can see where this might be a
> > problem as the source physical address would change if it came from
> > another router due to topology change.Actually, no.
> The source MAC address of any packet that arrives at your router will
> *always* be the MAC address of the next router.
> Unless you are an ISP and/or have multiple direct Internet connections,
> this will always be the same address.
>
> So it's completely useless in determining the actual origin of the
> packet - hence IP.
>
> > i'm reading my books but can't
> > find an answer. it just shows that a firewall looks at the source/dest
> > IP addresses. sorry, i'm a newbie to networking. thx.*IP* addresses, yes.
> See above re: confusion.
>
> J.

On 15 Oct 2006, in the Usenet newsgroup comp.os.linux.networking, in article
<(E-Mail Removed). com>, abstractclass wrote:

>Are stateful firewalls problematic when dynamic routing is used?

Shouldn't be, as long as the end points of a connection aren't changing.

>I'm guessing that when the network topology changes while an existing
>connection exists in the state table, this would cause problems as the
>source IP has the potential of changing and thus causing the existing
>connection to drop.

Why would the source (or destination) address change if the routing in
between the two changes? This happens all of the time on the Internet, as
routing "in the cloud" may change randomly. The end points see no
indication of this change.

>I am not sure what the solution to this would be.

An address change _in_ the cloud has no effect. On the other hand, if the
end point address(es) change, with a stateful firewall, there is no
solution, because the connection has ended.

>The only one I can think of is to ensure that the firewall policy
>contains all possible source IP addresses for each possible network
>topology change? Am I correct at all, or way off?

No - but you may be mis-describing the problem. If you are on the ends
of two stubs from different ISPs, and masquerading non-public addresses
to one (or more) of those belonging to those ISPs, then your stateful
firewall would only see the connections disappear. Assuming host $FOO
on 192.168.1.11 is being masqueraded as 192.0.2.21 on ISP "A" and has a
connection to some server on 5.10.15.20 out on the Internet, and the
link to ISP "A" goes down, but you have a fallback to ISP B - where you
are being masqueraded as 198.18.56.40... the remote sees the
connection to 192.0.2.21 die, and here is some h4x0r trying to carry
on from 198.18.56.40 - sorry, that connection is dead, and the state
is FIN_WAIT2.

Old guy

Thanks That scenario makes sense.

On Oct 16, 9:47 pm, ibupro...@painkiller.example.tld (Moe Trin) wrote:
> On 15 Oct 2006, in the Usenet newsgroup comp.os.linux.networking, in article
>
> <1160937036.700963.72...@b28g2000cwb.googlegroups. com>, abstractclass wrote:
> >Are stateful firewalls problematic when dynamic routing is used?Shouldn't be, as long as the end points of a connection aren't changing.
>
> >I'm guessing that when the network topology changes while an existing
> >connection exists in the state table, this would cause problems as the
> >source IP has the potential of changing and thus causing the existing
> >connection to drop.Why would the source (or destination) address change if the routing in
> between the two changes? This happens all of the time on the Internet, as
> routing "in the cloud" may change randomly. The end points see no
> indication of this change.
>
> >I am not sure what the solution to this would be.An address change _in_ the cloud has no effect. On the other hand, if the
> end point address(es) change, with a stateful firewall, there is no
> solution, because the connection has ended.
>
> >The only one I can think of is to ensure that the firewall policy
> >contains all possible source IP addresses for each possible network
> >topology change? Am I correct at all, or way off?No - but you may be mis-describing the problem. If you are on the ends
> of two stubs from different ISPs, and masquerading non-public addresses
> to one (or more) of those belonging to those ISPs, then your stateful
> firewall would only see the connections disappear. Assuming host $FOO
> on 192.168.1.11 is being masqueraded as 192.0.2.21 on ISP "A" and has a
> connection to some server on 5.10.15.20 out on the Internet, and the
> link to ISP "A" goes down, but you have a fallback to ISP B - where you
> are being masqueraded as 198.18.56.40... the remote sees the
> connection to 192.0.2.21 die, and here is some h4x0r trying to carry
> on from 198.18.56.40 - sorry, that connection is dead, and the state
> is FIN_WAIT2.
>
> Old guy

abstractclass wrote:
> This is what I understand so far:
>
> A stateful firewall looks at an incoming packet, compares the IP and
> ports to its ACL and logs the source & destination IP and source &
> destination port # of an incoming connection in its state table to
> allow an connection to enter the network.

IF it passes the ACL, else it forgets about it (possibly logs a DENY.)

> Dynamic routing causes the routing of packets to change based on the
> network traffic load etc., yet the src/dest IP address never change in
> these packets, even if the routing should change.
>
> Looking at those two facts, I still don't see how dynamic routing can
> cause problems for a stateful firewall if the firewall only looks at IP
> and port numbers. I can't find anything in my book or on the internet
> that mentions anything about problems with dynamic routing and stateful
> firewalls.

Then why did you ask the question ?
You make it sound as though *I* were the one to suggest this - yet that
question it is the first line in your original post...

My answer was:
>> For a pure firewall, no problems exist with respect to routing -
>> dynamic or otherwise.


J.

I asked the question because it was a question on one of my networking
assignments. I didn't realize it was a trick question until it was
clarified. I never isuggested that *you* were the one who suggested
this. I wasn't looking for a free answer either. I was just wanted
some clarification. I appreciate your thorough replies as they did
help. Thanks

On Oct 17, 2:34 pm, Jeroen Geilman <n...@home.no> wrote:
> abstractclass wrote:
> > This is what I understand so far:
>
> > A stateful firewall looks at an incoming packet, compares the IP and
> > ports to its ACL and logs the source & destination IP and source &
> > destination port # of an incoming connection in its state table to
> > allow an connection to enter the network.IF it passes the ACL, else it forgets about it (possibly logs a DENY.)
>
> > Dynamic routing causes the routing of packets to change based on the
> > network traffic load etc., yet the src/dest IP address never change in
> > these packets, even if the routing should change.
>
> > Looking at those two facts, I still don't see how dynamic routing can
> > cause problems for a stateful firewall if the firewall only looks at IP
> > and port numbers. I can't find anything in my book or on the internet
> > that mentions anything about problems with dynamic routing and stateful
> > firewalls.Then why did you ask the question ?
> You make it sound as though *I* were the one to suggest this - yet that
> question it is the first line in your original post...
>
> My answer was:
> >> For a pure firewall, no problems exist with respect to routing -
> >> dynamic or otherwise.
>
> J.

abstractclass wrote:
> I asked the question because it was a question on one of my networking
> assignments.

Oh.
Homework.