can someone define this for me or send me to a place with a good definition?

Discussion in 'Cisco' started by Brian Bergin, Dec 23, 2003.

  1. Brian Bergin

    Brian Bergin Guest

    I'd like a good definition of what "stateful packet inspection" is. I find
    references all over Cisco.com about it but few if any details. It's like
    everyone was supposed to be born with that info. My "assumption" of what SPI
    was is like what a PIX does if you have a fixup protocol enabled. Is this not
    correct? One explanation of SPI I found at
    http://www.firewall-software.com/firewall_tech/stateful_packet_inspection.html
    seems to mean that if I open port 80 on a PIX and use a static mapping to a
    private IP than any traffic on 80 will be passed. At least for the PIX if you
    use the fixup protocol http 80 command I understand that not to be the case. If
    the link above is correct pretty much any NAT device from a BEFSX41 to a PIX
    with no fixups enabled so SPI. That can't be right as some claim SPI and others
    don't. Can anyone shed a bright light on the subject with links to a definitive
    answer?

    Thanks...

    Thanks...
    Brian Bergin

    I can be reached via e-mail at
    cisco_dot_news_at_comcept_dot_net.

    Please post replies to the group so all may benefit.
     
    Brian Bergin, Dec 23, 2003
    #1
    1. Advertising

  2. Brian Bergin

    steve harris Guest

    Re: can someone define this for me or send me to a place with a gooddefinition?

    Brian Bergin wrote:
    > I'd like a good definition of what "stateful packet inspection" is. I find
    > references all over Cisco.com about it but few if any details. It's like
    > everyone was supposed to be born with that info. My "assumption" of what SPI
    > was is like what a PIX does if you have a fixup protocol enabled. Is this not
    > correct? One explanation of SPI I found at
    > http://www.firewall-software.com/firewall_tech/stateful_packet_inspection.html
    > seems to mean that if I open port 80 on a PIX and use a static mapping to a
    > private IP than any traffic on 80 will be passed. At least for the PIX if you
    > use the fixup protocol http 80 command I understand that not to be the case. If
    > the link above is correct pretty much any NAT device from a BEFSX41 to a PIX
    > with no fixups enabled so SPI. That can't be right as some claim SPI and others
    > don't. Can anyone shed a bright light on the subject with links to a definitive
    > answer?
    >
    > Thanks...
    >
    > Thanks...
    > Brian Bergin
    >
    > I can be reached via e-mail at
    > cisco_dot_news_at_comcept_dot_net.
    >
    > Please post replies to the group so all may benefit.


    http://www.webopedia.com/TERM/S/stateful_inspection.html

    my definition is a stateful packet inspection firewall is only going to
    allow packets in that belong to an existing connection or an answer to a
    requested connection.
     
    steve harris, Dec 23, 2003
    #2
    1. Advertising

  3. Brian Bergin

    Brian Bergin Guest

    steve harris <> wrote:

    |
    |http://www.webopedia.com/TERM/S/stateful_inspection.html
    |
    |my definition is a stateful packet inspection firewall is only going to
    |allow packets in that belong to an existing connection or an answer to a
    |requested connection.

    Thanks. So based on that definition, does Windows XP's ICF count as a stateful
    packet inspecting firewall? I have a Microsoft employee assuring me that it is.
    I highly doubt it, but wanted to see other input. Would the simple test be to
    put up an POP3/SMTP server behind it and then open 110/25 to it then send
    improper strings through it? The PIX will simply drop the connections, can't
    help but wonder what ICF really can do what they said it can.

    Thanks...

    Thanks...
    Brian Bergin

    I can be reached via e-mail at
    cisco_dot_news_at_comcept_dot_net.

    Please post replies to the group so all may benefit.
     
    Brian Bergin, Dec 23, 2003
    #3
  4. Brian Bergin

    steve harris Guest

    Re: can someone define this for me or send me to a place with a gooddefinition?

    Brian Bergin wrote:
    > steve harris <> wrote:
    >
    > |
    > |http://www.webopedia.com/TERM/S/stateful_inspection.html
    > |
    > |my definition is a stateful packet inspection firewall is only going to
    > |allow packets in that belong to an existing connection or an answer to a
    > |requested connection.
    >
    > Thanks. So based on that definition, does Windows XP's ICF count as a stateful
    > packet inspecting firewall? I have a Microsoft employee assuring me that it is.
    > I highly doubt it, but wanted to see other input. Would the simple test be to
    > put up an POP3/SMTP server behind it and then open 110/25 to it then send
    > improper strings through it? The PIX will simply drop the connections, can't
    > help but wonder what ICF really can do what they said it can.
    >
    > Thanks...
    >
    > Thanks...
    > Brian Bergin
    >
    > I can be reached via e-mail at
    > cisco_dot_news_at_comcept_dot_net.
    >
    > Please post replies to the group so all may benefit.


    http://www.microsoft.com/downloads/...93-ad93-492f-b74b-97c2fc44e08b&displaylang=en

    XP ICF is a stateful packet firewall according to Microsoft

    http://www.microsoft.com/windowsxp/expertzone/columns/bowman/november12.asp
     
    steve harris, Dec 23, 2003
    #4
  5. Brian Bergin

    steve harris Guest

    steve harris, Dec 23, 2003
    #5
  6. Brian Bergin

    Brian Bergin Guest

    Brian Bergin, Dec 23, 2003
    #6
  7. Brian Bergin

    Andre Beck Guest

    Brian Bergin <_domain> writes:
    > steve harris <> wrote:
    >
    > |http://www.microsoft.com/technet/tr...l=/technet/columns/security/askus/aus1001.asp
    >
    > That still doesn't tell me that it does what PIX does if you send illegal
    > commands via say SMTP or HTTP where the PIX will can those commands.


    It doesn't need to do such things just to qualify as stateful inspection.
    The basic explanation of stateful inspection comes easily when you compare
    it to classic packet filtering (like with an IOS ACL): Classic packet
    filtering is stateless, the filter makes a decision solely based on the
    content of the single packet it is about to analyze, with nothing but the
    values in there. After making this decision, it instantly drops any
    potential knowledge it might have collected about that packet, plain said,
    it completely forgets about the packet and starts over with the next one
    at zero. Now any implementation that takes such a stateless filter and
    adds state collection and later reuse of such state to it is stateful
    inspection per definition. This starts at simple things like learning
    about a newly established TCP connection from the first SYN and letting
    the exactly matching TCP segments pass based on that state information.
    It continues at analyzing certain protocols in order to be able to open
    additional conduits that the protocol negotiates inband, as done with
    FTP. Features can go beyond, like making sure that only those TCP segments
    pass which are allowed according to the TCP state engine, or filtering
    and manipulating a protocol up to the application layer for instance to
    make sure it is used for nothing but the application protocol that should
    really be in there (preventing data tunneling through HTTP or DNS etc).
    But this is much more than implied by "stateful inspection", so almost
    all vendors who supply such extensions to it have their own names for
    that. The most basic and classic stateful engines typically provided
    support for just TCP reverse direction segments, UDP pseudo connections
    and one single application layer inspection for FTP control connections
    to learn about inband negotiated FTP data connections (especially the
    active ones).

    --
    The _S_anta _C_laus _O_peration
    or "how to turn a complete illusion into a neverending money source"

    -> Andre "ABPSoft" Beck +++ ABP-RIPE +++ Dresden, Germany, Spacetime <-
     
    Andre Beck, Dec 27, 2003
    #7
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Victor
    Replies:
    15
    Views:
    3,250
  2. Giuen
    Replies:
    0
    Views:
    1,051
    Giuen
    Sep 12, 2008
  3. Mark C
    Replies:
    31
    Views:
    3,083
    Mark C
    May 15, 2009
  4. Mark C
    Replies:
    0
    Views:
    555
    Mark C
    May 10, 2009
  5. abnerliu
    Replies:
    0
    Views:
    1,151
    abnerliu
    Aug 4, 2011
Loading...

Share This Page