On Mon, 21 Feb 2000, Chris Brenton wrote:
> Kind of wondering if IOS is still a good example of basic packet
> filtering. The new filters maintain connection state. This means no more
The new filters in the normal image, or in Firewall Feature Set? If it's
firewall feature set, then the normal IOS stuff still stands as a good
example (and cheap on 16xx and 26xx's where IOS IP Only comes with the
hardware.)
> leaving open >1023 est and being susceptible to FIN/RST scans. It also
> mean you can control UDP flow properly.
>
> I would also argue that dynamic packet filtering is 97% as effective as
> Stateful Inspection as most protocols are not "inspected", just
> dynamically filtered.
It'll help with things like DNS queries to servers that aren't
authoritative. That was my main reason for going with IPFilter over
another packet filtering implementation at my last job.
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
[EMAIL PROTECTED] which may have no basis whatsoever in fact."
PSB#9280
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
