Ivan posted here:
I’ll take ownership of the statement because at least it sounds like something I have discussed on the podcast and, sadly, because there aren’t that many networking podcasts.
The comment is in relation to the purpose of a stateful firewall when compared to a stateless firewall aka access lists. I do think that my comments are being taken out of context in a larger discussion of designing IT Security.
To this day, I am still struggling to explain the business value of the modern firewalls compared to stateless filtering. Many companies focus heavily on firewalls as their primary security tool. In my view, the firewall should be the least significant tool in your security plan.
In my view, very few companies use the security features embedded in firewalls products that might make them secure because of the technology and product complexity.
I wonder how many people understand the precise technical details of a firewall and just how limited the value is to IT security posture. I would invest more into analytics, monitoring and intelligence tools than firewalls.
I suspect that my intention was to point out the stateful firewalls are used to prevent IP spoofing/hijacking, fragmentation attacks and other IP based attacks on stateful flow inspection and then attempt to define flow inspection and what its does.
In the case of active protocols like FTP, GTP and Websockets the source port does change in practice although not for an established flow but for new flows that are spawned children of the application session.
And for UDP protocols Radius, Diameter it gets even more complex to verbalise where the state of the flow is established and can be hijacked since there is no state data in the header and some firewalls will track the payload for state.
So, apologies for not explaining it well. But hey, security needs a LOT of unnecessary explaining for reasons I don’t entirely understand.
Related: Talking about networking security is hard and its easy to make mistakes when attempting to communicate in a podcast where context is lost.