hi,
1) Every CISCO Router can by default do stateful tcp inspection
("established"
keyword.
2) With the IOS Firewall Feature Set it can do full stateful inspection
for tcp, udp, and icmp (CBAC and/or reflexive named access lists).
Cheers,
Gernot
Terrance Ingoldsby wrote:
>
> As a security consultant I encounter many different configurations. One
> of my clients has found themselves in a situation wherein their
> perimeter protection is essentially a packet filtering router. I, and
> the security people in the organization, are well aware of the myriad of
> attacks that will make it through router filters (fragmented packets,
> packets without SYN bit set, etc.) but we are having a hard time
> persuading management that the risk is more than theoretical.
> Discussions of the techical issues just cause their eyes to glaze over.
>
> Does anyone know of a well documented incident that caused significant
> disruption to an organization that used a packet filter router for
> protection instead of a real firewall? I have lots of anecdotal
> accounts from conferences, etc., but nothing that I can point to that
> says "In Oct, 1999 hackers broke through the brand X router used at
> company ABC and reformatted the disks on 11 servers". Without a
> concrete example management will conclude that we are just paranoid.
>
> - Terry Ingoldsby
> [EMAIL PROTECTED]
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
