[Date Prev][Date Next][Subject Prev][Subject Next][ Date Index][ Subject Index]

Re: firewalling -- established

Subject: Re: firewalling -- established
From: flash flash@xxxxxxxx
Date: Wed, 14 Dec 2005 10:07:37 +0100

Y'all,

"Established" means you're real square, part of the establishment, drive
a Buick, own your own house, have life insurance, 2.2 kids one of which
is in college....

No, seriously, this is tech jargon for how TCP opens a session. In the
beginning, TCP does a kind of a handshake. This involves setting certain
bits in the TCP header, among them an ACK-bit (acknowledge) and a
SYN-bit (synchronize). The handshake involves three steps. In the first
step, the initiator of the session sets SYN=1, which in effect asks the
other side 'you wanna hold my hand?'. At this point, the initiator has
not yet heard anything from the other side, so ACK=0. This state is
called not-established. This first salvo goes over the wire and then the
second station replies by setting SYN=1, which means 'ok, but just this
once'. The second station must also acknowledge that it has received the
first packet, so it sets ACK=1. (All subsequent packets in the same
session also have the ACK-bit set to one; only the first packet has the
ACK-bit set to zero.) The first station receives this reply and replies
with ACK=1, which is the third and final packet in the handshake. (The
SYN-bit returns to zero for the rest of the session). The session is now
considered to be 'established'.

What this means in terms of firewalling is this: if you initiate a
session and get a reply, the reply has the ACK-bit set to one; the
router or firewall can be configured to recognise this session as
'established'--that is, the reply is allowed into the LAN because it is
the expected reply to a session YOU initiated. Whereas, if someone else
attempts to hack into your LAN, HIS first packet has the ACK-bit set to
zero, and the router or firewall treates this as not-established and
drops the packet. The technical term for this is 'stateful
inspection.'--i.e., checking the ACK-bit state.

Now, I think I can second-guess Robt.'s next thought here: what's to
stop a dedicated hacker from manually setting his ACK-bit to one and
thereby getting into the LAN. The answer is, nothing. That's why
professionally managed networks have several lines of defense, not only
firewalls and routers, but also virus scanners and intrusion detectors
and other real-time monitoring devices. In any case, just setting the
ACK-bit to one doesn't mean the hacker is 'in'. The TCP header also has
sequence numbers, and if the sequence numbers don't match, the hacker
hasn't gained anything, access or otherwise. Since he's sending the
first packet, he has no idea what sequence number to choose, and since
no station inside the LAN is expecting any particular sequence number,
no station is going to reply to the hacker's initial bid, despite the
ACK=1.

Establishing to oneself may be some sort of loopback function. I'm not
sure what Harry was up to at that moment.

Flash

Prev by Date: Re: firewalling
Next by Date: Re: firewalling
Previous by thread: Re: firewalling
Next by thread: firewalls and routers
Index(es):
- Date
- Subject