Merton Campbell Crockett wrote:
>
> > Kind of wondering if IOS is still a good example of basic packet
> > filtering. The new filters maintain connection state. This means no more
> > leaving open >1023 est and being susceptible to FIN/RST scans. It also
> > mean you can control UDP flow properly.
>
> Cisco IOS 12 with the Firewall Feature Set would probably not be a good
> example. :-) But, I and mainy of my customers are still running some older
> versions of Cisco IOS.
I'm not talking the firewall feature set but the Reflexive filtering
introduced in IOS 11.3. Originally it was TCP only but 12.x expanded it
to include all of IP.
> Can't. I haven't played with dynamic packet filtering yet. But some of my
> experience with Firewall-1 suggests that there might not be as much
> inspection as they would have you believe.
Pretty much what I've found by going through the script files. Most of
it is just state checking. There is actually very little payload
verification to ensure that the correct apps are using the well know
sockets. If this was not the case Loki & Netcat would not work so well
through the default Properties settings. ;)
Cheers,
Chris
--
**************************************
[EMAIL PROTECTED]
* Multiprotocol Network Design & Troubleshooting
http://www.amazon.com/exec/obidos/ASIN/0782120822/geekspeaknet
* Mastering Network Security
http://www.amazon.com/exec/obidos/ASIN/0782123430/geekspeaknet
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
