[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Anyone studying for Cisco certs?



Joe inquired:
> The pix uses a stateful packet filter, is this different than stateful
> packet inspection?

Yes. Stateful packet filtering means things like once I get a connection
from A, I'll allow any related connections from A. This is mildly useful
for FTP, but it's a half-fast job at doing it correctly. This is critical
for doing the TCP three-way-handshake to move connections from the
main port to a secondary port (i.e. your "well-known" services running
on standard ports - http, ssh, telnet, smtp, etc.). When you connect
to port 80, for example, the first thing the server does is to execute
a handshake to move the connection to some random high port (sometimes also 
called an ephemeral port). The firewall *HAS* to be able to know that the
two connections are related when it dynamically creates the rule for
the new ephemeral connection.

Stateful packet inspection means looking at the payload in the packets,
not just the IP headers and flags. This is crucual for doing FTP properly,
where you need to watch the data in the control channel as the server and
client tell each other what IP and port they will make data connections.
Thus the firewall can create a dynamic rule for the data connection.

> If they are the same does the pix have a problem
> with it filtering technology?

They should have just ripped off the BSD code like everyone else.
But, not-invented-here and using free unpatentable technology isn't what 
Cisco and its shareholders are about. They want something that continues
their near monopoly in network equipment. Ever wonder why the DOJ doesn't
go after Cisco? Ever wonder why Cisco doesn't pushback on support for new
CALEA and PATRIOT wiretap and network surveillance capabilities?

Did you see the recent RFC - proposed by Cisco engineers, BTW - proposing a
system of wiretapping where *multiple* *simultaneous* wiretaps could be
in effect, and they would be not detectable by each other. i.e. your local 
police, would not know that the Feds were already wiretapping you, but, 
even more importantly, any oversight agency would be unable to detect abuse 
of such a facility by any other law enforcement agency. If the local cops 
could wiretap you and there was no way for the Feds to tell they were 
doing it, and they decided not to bother with judges and such, do you 
think they would be miraculously and suddenly impervious to corruption 
and abuse?

If so, you probably think that patrol cops never run a license plate to 
get personal information about an attractive person they might want to
pursue socially. Or to "geographically profile" the owner of a vehicle.

Mike808/


---------------------------------------------
http://www.valuenet.net



-
To unsubscribe, send email to majordomo@silug.org with
"unsubscribe silug-discuss" in the body.