can someone define this for me or send me to a place with a good definition?

Discussion in 'Cisco' started by Brian Bergin, Dec 23, 2003.

  1. Brian Bergin

    Brian Bergin Guest

    I'd like a good definition of what "stateful packet inspection" is. I find
    references all over Cisco.com about it but few if any details. It's like
    everyone was supposed to be born with that info. My "assumption" of what SPI
    was is like what a PIX does if you have a fixup protocol enabled. Is this not
    correct? One explanation of SPI I found at
    http://www.firewall-software.com/firewall_tech/stateful_packet_inspection.html
    seems to mean that if I open port 80 on a PIX and use a static mapping to a
    private IP than any traffic on 80 will be passed. At least for the PIX if you
    use the fixup protocol http 80 command I understand that not to be the case. If
    the link above is correct pretty much any NAT device from a BEFSX41 to a PIX
    with no fixups enabled so SPI. That can't be right as some claim SPI and others
    don't. Can anyone shed a bright light on the subject with links to a definitive
    answer?

    Thanks...

    Thanks...
    Brian Bergin

    I can be reached via e-mail at
    cisco_dot_news_at_comcept_dot_net.

    Please post replies to the group so all may benefit.
     
    Brian Bergin, Dec 23, 2003
    #1
    1. Advertisements

  2. Brian Bergin

    steve harris Guest

    http://www.webopedia.com/TERM/S/stateful_inspection.html

    my definition is a stateful packet inspection firewall is only going to
    allow packets in that belong to an existing connection or an answer to a
    requested connection.
     
    steve harris, Dec 23, 2003
    #2
    1. Advertisements

  3. Brian Bergin

    Brian Bergin Guest

    |
    |http://www.webopedia.com/TERM/S/stateful_inspection.html
    |
    |my definition is a stateful packet inspection firewall is only going to
    |allow packets in that belong to an existing connection or an answer to a
    |requested connection.

    Thanks. So based on that definition, does Windows XP's ICF count as a stateful
    packet inspecting firewall? I have a Microsoft employee assuring me that it is.
    I highly doubt it, but wanted to see other input. Would the simple test be to
    put up an POP3/SMTP server behind it and then open 110/25 to it then send
    improper strings through it? The PIX will simply drop the connections, can't
    help but wonder what ICF really can do what they said it can.

    Thanks...

    Thanks...
    Brian Bergin

    I can be reached via e-mail at
    cisco_dot_news_at_comcept_dot_net.

    Please post replies to the group so all may benefit.
     
    Brian Bergin, Dec 23, 2003
    #3
  4. Brian Bergin

    steve harris Guest

    http://www.microsoft.com/downloads/...93-ad93-492f-b74b-97c2fc44e08b&displaylang=en

    XP ICF is a stateful packet firewall according to Microsoft

    http://www.microsoft.com/windowsxp/expertzone/columns/bowman/november12.asp
     
    steve harris, Dec 23, 2003
    #4
  5. Brian Bergin

    steve harris Guest

  6. Brian Bergin

    Brian Bergin Guest

    Brian Bergin, Dec 23, 2003
    #6
  7. Brian Bergin

    Andre Beck Guest

    It doesn't need to do such things just to qualify as stateful inspection.
    The basic explanation of stateful inspection comes easily when you compare
    it to classic packet filtering (like with an IOS ACL): Classic packet
    filtering is stateless, the filter makes a decision solely based on the
    content of the single packet it is about to analyze, with nothing but the
    values in there. After making this decision, it instantly drops any
    potential knowledge it might have collected about that packet, plain said,
    it completely forgets about the packet and starts over with the next one
    at zero. Now any implementation that takes such a stateless filter and
    adds state collection and later reuse of such state to it is stateful
    inspection per definition. This starts at simple things like learning
    about a newly established TCP connection from the first SYN and letting
    the exactly matching TCP segments pass based on that state information.
    It continues at analyzing certain protocols in order to be able to open
    additional conduits that the protocol negotiates inband, as done with
    FTP. Features can go beyond, like making sure that only those TCP segments
    pass which are allowed according to the TCP state engine, or filtering
    and manipulating a protocol up to the application layer for instance to
    make sure it is used for nothing but the application protocol that should
    really be in there (preventing data tunneling through HTTP or DNS etc).
    But this is much more than implied by "stateful inspection", so almost
    all vendors who supply such extensions to it have their own names for
    that. The most basic and classic stateful engines typically provided
    support for just TCP reverse direction segments, UDP pseudo connections
    and one single application layer inspection for FTP control connections
    to learn about inband negotiated FTP data connections (especially the
    active ones).
     
    Andre Beck, Dec 27, 2003
    #7
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.