Re: Anyone studying for Cisco certs?

[fiaid@quasi-sane.com]

> Wouldn't the Adaptive Security Algorithm combined with the stateful
> packet filter accomplish the same thing as stateful packet inspection?  
> I have no idea about the IP spoof checker either.

Not sure about the Adaptice Security Algorithm, I'll have to do some 
reading on that.  Pretty much everyone that I have talked to that works 
with those things, including people at Cisco, call them Glorified packet 
filters.  There is no real security to them.  IP spoof is a pretty big 
thing, you can back channel connections and even attack if spoofed packets 
are not checked for.  Think about it like this, you have a piece of code 
that has a payload used to take out a machine, lets pick on IIS (hehe).  
This piece of code had a spoofed address so that the connection cannot be 
traced back to you.  Once it leaves your machine, all the router is 
looking at is the destination so it won't really even get looked at until 
it gets to your firewall.  Once it is there, your firewall will take a 
look at it.  If you have IP spoof checking, it will realize that no packet 
with that source could ever be coming from that interface so it will be 
dropped.  Otherwise, the packet will be allowed to traverse through and 
nail the IIS server.

That was a massively simplified explaination of the need for IP Spoof 
checking.  

I did some checking, and apparently PIX has introduced some Stateful 
Packet Inspection.  The reading I did was on the PIX v525.  

At work, we use Checkpoint FW-1 and at home I use IP Filter.  It is all 
just a matter of choice.

HTH

Tighe

-- 
Tighe Schlottog         workape         fiaid
"Nothing is too cruel if it is funny enough."


-
To unsubscribe, send email to majordomo@silug.org with
"unsubscribe silug-discuss" in the body.