"Paul D. Robertson" wrote:
>
> TCP-based systems keep their own state, and other than some DoS stuff
> (which should be tuned on Internet-accessable hosts anyway), there's no a
> great deal of value from the filter keeping state. Cisco router filtering
> on a normal IOS image isn't stateful either, but it's still the best
> first-line of defense.
What about the ability to block incoming packets that are not part of a session
initiated from the inside? This enables permitting outgoing connections to
servers without allowing all the high, dynamic ports in. While Cisco's
'established' keyword provides similar functionality, it allows crafted
packets without the SYN bit set to enter the internal network and probe for
open
ports.
--
Gary Flynn
Security Engineer - Technical Services
James Madison University
Please R.U.N.S.A.F.E.
http://www.jmu.edu/computing/info-security/engineering/protecting_yourself.shtml
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
