Stateful filtering (cont)

It is still possible to insert packets in this way, when an attacker can guess ports and addresses
This is not always as hard as it seems
Also, taking over a TCP connection goes unnoticed by the packet filter
Implemented in most firewall software, e.g. FreeBSD's ipfw, Cisco PIX

It is still possible to insert packets in this way, when an attacker can guess ports and addresses