Well said Paul. On Tue, Feb 2, 2010 at 12:37 PM, Paul Stewart <[email protected]> wrote:
> That command should block non initial tcp packets that do not have a > session built. The first packet must be permited by the acl or lack > thereof. It must be a syn though. Basically a tcp communication > should start with a 3 way handshake, or there should already be a > session established. How it works really depends on the acl and the > inspection placement and direction. > > > > On Feb 2, 2010, at 12:00 PM, [email protected] > wrote: > > > Send CCIE_Security mailing list submissions to > > [email protected] > > > > To subscribe or unsubscribe via the World Wide Web, visit > > http://onlinestudylist.com/mailman/listinfo/ccie_security > > or, via email, send a message with subject or body 'help' to > > [email protected] > > > > You can reach the person managing the list at > > [email protected] > > > > When replying, please edit your Subject line so it is more specific > > than "Re: Contents of CCIE_Security digest..." > > > > > > Today's Topics: > > > > 1. TCP session that doesn't belong to existing session - inspect > > based firewall (Kingsley Charles) > > 2. Re: TCP session that doesn't belong to existing session - > > inspect based firewall (Tyson Scott) > > > > > > ---------------------------------------------------------------------- > > > > Message: 1 > > Date: Tue, 2 Feb 2010 18:48:49 +0530 > > From: Kingsley Charles <[email protected]> > > Subject: [OSL | CCIE_Security] TCP session that doesn't belong to > > existing session - inspect based firewall > > To: [email protected] > > Message-ID: > > <[email protected]> > > Content-Type: text/plain; charset="iso-8859-1" > > > > Hi all > > > > The following command is used to block TCP sessions that doesn't > > belong to > > the existing sessions that the firewall is aware off. > > > > "ip inspect tcp block-non-session" > > > > The default action is to allow non-existing TCP sessions. > > > > > > If we allow, non-existing TCP session , is that not breaking the > > firewall? > > > > By default it should block right? > > > > Please share your thoughts. > > > > > > With regards > > Kings > > -------------- next part -------------- > > An HTML attachment was scrubbed... > > URL: > http://onlinestudylist.com/pipermail/ccie_security/attachments/20100202/41f1962e/attachment-0001.htm > > > > ------------------------------ > > > > Message: 2 > > Date: Tue, 2 Feb 2010 10:32:37 -0500 > > From: Tyson Scott <[email protected]> > > Subject: Re: [OSL | CCIE_Security] TCP session that doesn't belong to > > existing session - inspect based firewall > > To: Kingsley Charles <[email protected]> > > Cc: [email protected] > > Message-ID: > > <[email protected]> > > Content-Type: text/plain; charset="iso-8859-1" > > > > Kingsley, > > > > In IOS you rely on a strict ACL on the outside to prevent unwanted > > traffic > > coming inbound. The inspection engine then creates dynamic entries > > for > > traffic that should be dynamically allowed back in thru the blocking > > ACL. > > By default the inspection engine is not used for filtering > > sessions. It > > is the dynamic source for allowing traffic that isn't allowed by > > default > > thru your protection ACL. > > > > The command below enables the inspection engine to be used for > > blocking TCP > > traffic inbound on the inspection interface. This blocks ALL traffic > > sourced from the outside inbound. No TCP traffic that is not > > initiated from > > the inside is allowed in. Only dynamic entries created by the > > inspection > > rules are allowed back in for TCP sessions. > > > > It can be used but most likely is going to cause unwanted results. > > > > > > > > On Tue, Feb 2, 2010 at 8:18 AM, Kingsley Charles < > [email protected] > >> wrote: > > > >> Hi all > >> > >> The following command is used to block TCP sessions that doesn't > >> belong to > >> the existing sessions that the firewall is aware off. > >> > >> "ip inspect tcp block-non-session" > >> > >> The default action is to allow non-existing TCP sessions. > >> > >> > >> If we allow, non-existing TCP session , is that not breaking the > >> firewall? > >> > >> By default it should block right? > >> > >> Please share your thoughts. > >> > >> > >> With regards > >> Kings > >> > >> _______________________________________________ > >> For more information regarding industry leading CCIE Lab training, > >> please > >> visit www.ipexpert.com > >> > >> > > > > > > -- > > Tyson Scott - CCIE #13513 R&S and Security > > Technical Instructor - IPexpert, Inc. > > > > Telephone: +1.810.326.1444 > > Fax: +1.810.454.0130 > > Mailto: [email protected] > > > > Join our free online support and peer group communities: > > http://www.IPexpert.com/communities<http://www.ipexpert.com/communities> > > > > IPexpert - The Global Leader in Self-Study, Classroom-Based, Video > > On Demand > > and Audio Certification Training Tools for the Cisco CCIE R&S Lab, > > CCIE > > Security Lab, CCIE Service Provider Lab , CCIE Voice Lab and CCIE > > Storage > > Lab Certifications. > > -------------- next part -------------- > > An HTML attachment was scrubbed... > > URL: > http://onlinestudylist.com/pipermail/ccie_security/attachments/20100202/9d3f75c8/attachment-0001.htm > > > > End of CCIE_Security Digest, Vol 44, Issue 9 > > ******************************************** > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > -- Tyson Scott - CCIE #13513 R&S and Security Technical Instructor - IPexpert, Inc. Telephone: +1.810.326.1444 Fax: +1.810.454.0130 Mailto: [email protected] Join our free online support and peer group communities: http://www.IPexpert.com/communities IPexpert - The Global Leader in Self-Study, Classroom-Based, Video On Demand and Audio Certification Training Tools for the Cisco CCIE R&S Lab, CCIE Security Lab, CCIE Service Provider Lab , CCIE Voice Lab and CCIE Storage Lab Certifications.
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
