have a look
http://www.cisco.com/warp/public/707/2.html
----- Original Message -----
From: "Kent Hundley"
To: ; "'Kent Hundley'" ;
Sent: Saturday, September 01, 2001 12:03 AM
Subject: RE: ACL - TCP established [7:17297]
> From the context of the original question, I assumed the poster was
talking
> about using the 'established' keyword with a Cisco router access-list, not
> the 'established' command on a Cisco PIX. One has nothing to do with the
> other.
>
> However, you are correct about using the permit and permitfrom with the
> established command on the PIX. It's just not relevant to what the poster
> was asking.
>
> -Kent
>
> -----Original Message-----
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
> Sent: Friday, August 31, 2001 9:45 AM
> To: Kent Hundley; [EMAIL PROTECTED]
> Subject: Re: ACL - TCP established [7:17297]
>
>
> it is highly recommended that u use permit to and permitfrom with the
> established command
>
> ----- Original Message -----
> From: "Kent Hundley"
> To:
> Sent: Friday, August 31, 2001 12:45 AM
> Subject: RE: ACL - TCP established [7:17297]
>
>
> > First, there are security risks in everything. Nothing is 100% secure
and
> > given enough skill, time and effort any security countermeasure can be
> > bypassed. What one person builds another person can break, etc., etc.
> >
> > Now, as to whether the ACK or RST flag can be manipulated, yes they can.
> If
> > one wants to, they can write code to create packets that have whatever
> bits
> > you want set, whatever options, whatever addresses, etc.
> >
> > If a machine recieves a packet with an ACK bit set that it does not have
a
> > session with, the stack should do something logical with it such as drop
> the
> > packet or send a RST. (I don't recall what the RFC says to do)
> >
> > However, IP stacks are just software written by humans and humans make
> > mistakes. There's no guarantee that a stack won't do something
illogical
> > with an illogical packet, so yes, there's some risk involved. There's
> also
> > the fact that the 'established' command is only good for TCP streams, so
> > lots of UDP attacks will not be blocked at all.
> >
> > HTH,
> > Kent
> >
> > -----Original Message-----
> > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
> > phyrz
> > Sent: Saturday, August 25, 2001 11:34 PM
> > To: [EMAIL PROTECTED]
> > Subject: ACL - TCP established [7:17297]
> >
> >
> > When using the established key word at the end of an ACL statement, are
> > there any security risks?
> >
> > Can the ACK or RST flag in a segment header be set from a source
terminal
> > to trick the ACL, making it look like the segment is responding to a
> > request?
> > If so, I would think that anything that received the segment would
ignore
> > it. Any thoughts?
> >
> > Phyrz
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=18122&t=17297
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
