«

I'd like a good definition of what "stateful packet inspection" is. I find
references all over Cisco.com about it but few if any details. It's like
everyone was supposed to be born with that info. My "assumption" of what SPI
was is like what a PIX does if you have a fixup protocol enabled. Is this not
correct? One explanation of SPI I found at
http://www.firewall-software.com/fir...nspection.html
seems to mean that if I open port 80 on a PIX and use a static mapping to a
private IP than any traffic on 80 will be passed. At least for the PIX if you
use the fixup protocol http 80 command I understand that not to be the case. If
the link above is correct pretty much any NAT device from a BEFSX41 to a PIX
with no fixups enabled so SPI. That can't be right as some claim SPI and others
don't. Can anyone shed a bright light on the subject with links to a definitive
answer?

Thanks...

Thanks...
Brian Bergin

I can be reached via e-mail at
cisco_dot_news_at_comcept_dot_net.

Please post replies to the group so all may benefit.

Brian Bergin wrote:
> I'd like a good definition of what "stateful packet inspection" is. I find
> references all over Cisco.com about it but few if any details. It's like
> everyone was supposed to be born with that info. My "assumption" of what SPI
> was is like what a PIX does if you have a fixup protocol enabled. Is this not
> correct? One explanation of SPI I found at
> http://www.firewall-software.com/fir...nspection.html
> seems to mean that if I open port 80 on a PIX and use a static mapping to a
> private IP than any traffic on 80 will be passed. At least for the PIX if you
> use the fixup protocol http 80 command I understand that not to be the case. If
> the link above is correct pretty much any NAT device from a BEFSX41 to a PIX
> with no fixups enabled so SPI. That can't be right as some claim SPI and others
> don't. Can anyone shed a bright light on the subject with links to a definitive
> answer?
>
> Thanks...
>
> Thanks...
> Brian Bergin
>
> I can be reached via e-mail at
> cisco_dot_news_at_comcept_dot_net.
>
> Please post replies to the group so all may benefit.

http://www.webopedia.com/TERM/S/stat...nspection.html

my definition is a stateful packet inspection firewall is only going to
allow packets in that belong to an existing connection or an answer to a
requested connection.

steve harris <> wrote:

|
|http://www.webopedia.com/TERM/S/stat...nspection.html
|
|my definition is a stateful packet inspection firewall is only going to
|allow packets in that belong to an existing connection or an answer to a
|requested connection.

Thanks. So based on that definition, does Windows XP's ICF count as a stateful
packet inspecting firewall? I have a Microsoft employee assuring me that it is.
I highly doubt it, but wanted to see other input. Would the simple test be to
put up an POP3/SMTP server behind it and then open 110/25 to it then send
improper strings through it? The PIX will simply drop the connections, can't
help but wonder what ICF really can do what they said it can.

Thanks...

Thanks...
Brian Bergin

I can be reached via e-mail at
cisco_dot_news_at_comcept_dot_net.

Please post replies to the group so all may benefit.

Brian Bergin wrote:
> steve harris <> wrote:
>
> |
> |http://www.webopedia.com/TERM/S/stat...nspection.html
> |
> |my definition is a stateful packet inspection firewall is only going to
> |allow packets in that belong to an existing connection or an answer to a
> |requested connection.
>
> Thanks. So based on that definition, does Windows XP's ICF count as a stateful
> packet inspecting firewall? I have a Microsoft employee assuring me that it is.
> I highly doubt it, but wanted to see other input. Would the simple test be to
> put up an POP3/SMTP server behind it and then open 110/25 to it then send
> improper strings through it? The PIX will simply drop the connections, can't
> help but wonder what ICF really can do what they said it can.
>
> Thanks...
>
> Thanks...
> Brian Bergin
>
> I can be reached via e-mail at
> cisco_dot_news_at_comcept_dot_net.
>
> Please post replies to the group so all may benefit.

http://www.microsoft.com/downloads/d...displaylang=en

XP ICF is a stateful packet firewall according to Microsoft

http://www.microsoft.com/windowsxp/e...november12.asp

http://www.microsoft.com/technet/tre...us/aus1001.asp

steve harris <> wrote:

|
|http://www.microsoft.com/technet/tre...us/aus1001.asp

That still doesn't tell me that it does what PIX does if you send illegal
commands via say SMTP or HTTP where the PIX will can those commands.

Thanks...
Brian Bergin

I can be reached via e-mail at
cisco_dot_news_at_comcept_dot_net.

Please post replies to the group so all may benefit.

Brian Bergin <_domain> writes:
> steve harris <> wrote:
>
> |http://www.microsoft.com/technet/tre...us/aus1001.asp
>
> That still doesn't tell me that it does what PIX does if you send illegal
> commands via say SMTP or HTTP where the PIX will can those commands.

It doesn't need to do such things just to qualify as stateful inspection.
The basic explanation of stateful inspection comes easily when you compare
it to classic packet filtering (like with an IOS ACL): Classic packet
filtering is stateless, the filter makes a decision solely based on the
content of the single packet it is about to analyze, with nothing but the
values in there. After making this decision, it instantly drops any
potential knowledge it might have collected about that packet, plain said,
it completely forgets about the packet and starts over with the next one
at zero. Now any implementation that takes such a stateless filter and
adds state collection and later reuse of such state to it is stateful
inspection per definition. This starts at simple things like learning
about a newly established TCP connection from the first SYN and letting
the exactly matching TCP segments pass based on that state information.
It continues at analyzing certain protocols in order to be able to open
additional conduits that the protocol negotiates inband, as done with
FTP. Features can go beyond, like making sure that only those TCP segments
pass which are allowed according to the TCP state engine, or filtering
and manipulating a protocol up to the application layer for instance to
make sure it is used for nothing but the application protocol that should
really be in there (preventing data tunneling through HTTP or DNS etc).
But this is much more than implied by "stateful inspection", so almost
all vendors who supply such extensions to it have their own names for
that. The most basic and classic stateful engines typically provided
support for just TCP reverse direction segments, UDP pseudo connections
and one single application layer inspection for FTP control connections
to learn about inband negotiated FTP data connections (especially the
active ones).

--
The _S_anta _C_laus _O_peration
or "how to turn a complete illusion into a neverending money source"

-> Andre "ABPSoft" Beck +++ ABP-RIPE +++ Dresden, Germany, Spacetime <-