RE: Stateful inspection
- From: "John Tolmachoff" <isalist@xxxxxxxxxxxx>
- To: "'[ISAserver.org Discussion List]'" <isalist@xxxxxxxxxxxxx>
- Date: Wed, 30 Oct 2002 13:37:31 -0800
Inbound and Outbound pertain to the origination point.
For instance, to have a web server in the DMZ accessible to the Internet you
would need an inbound rule. If there is no outbound, you could not reach a
web site on the Internet from the DMZ.
ISA is doing stateful packet. What that is a comparison between the inbound
and outbound connections and if they match. Example: If you had a outbound
SMTP rule, ISA would allow the SMTP traffic out. But as part of that
session, there will be inbound traffic. Stateful packet inspection will look
at the inbound traffic, such as a response or verification, and match it to
an outbound to ensure that the inbound is what the outbound was expecting.
The reason you have the option of both is to eliminate the amount of rules,
as each bit of traffic must traverse the rules until a match is found. In a
large enterprise with several hundred rules, this will make a difference.
I believe this is the allow path: (Of course, will not be the first time I
am wrong.)
Is there a rule on the content?
Is there a rule on the user?
(One other I can not remember)
Allow with Stateful packet inspection.
John Tolmachoff MCSE, CSSA
IT Manager, Network Engineer
RelianceSoft, Inc.
La Habra, CA 90631
www.reliancesoft.com
-----Original Message-----
From: David Elmquist [mailto:david@xxxxxxxxxx]
Sent: Wednesday, October 30, 2002 1:23 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] Stateful inspection
http://www.ISAserver.org
Lately, I`ve been asked to make a comparison between ISA and other
firewalls, such as PIX and
FW1. One thing that`s been nagging me, is the ability to have a DMZ and do
stateful inspection on
Traffic there. I`m aware that ISA does in fact do stateful inspection on
traffic outbound traffic and
Traffic initiated by published server rules. My question is this:
Does ISA perform stateful inspection on traffic to a DMZ zone via packet
filters ?
The reason this is not obvious is the 3 types of traffic configurable in a
packet filter; Inbound,
Outbound and both. I`ve noticed that for example a filter like TCP 3389
inbound would allow
Terminal services to be used on the ISA machine - but a typical oldfashined
filtering firewall
Would require a filter allowing both Inbound AND outbound access. Stateful
inspection would
Account for this. I`ve found no literature to back this up though.any
thoughts ?
Regards,
David Elmquist
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Exchange Server Resource Site: http://www.msexchange.org/
Windows Security Resource Site: http://www.windowsecurity.com/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
isalist@xxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
Other related posts: