Gernot,
The "established" extended ACL keyword only checks for an ACK in packets.
Letting packets just because the ACK is set is not good--a number of well
known scans work because of this.
"Established" is not stateful in any sense of the word. It was an early
kludge that was followed by reflexive access lists, another kludge.
The FW IOS uses CBAC for true stateful inspection. CBAC works well, but
has two problems: it is a tool, and depends upon the skill and knowledge
of the person using it; and stateful inspection is completely baffled by
tunnelling hacks that use ICMP, SSH, HTTPS, and other protocols
(e.g. Loki).
--Patrick Darden
--Internetworking Manager
--Athens Regional Medical Center
You Wrote:
1) Every CISCO Router can by default do stateful tcp inspection
("established" keyword.
2) With the IOS Firewall Feature Set it can do full stateful inspection
for tcp, udp, and icmp (CBAC and/or reflexive named access lists).
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
