RE: Stateful inspection

• From: "David Elmquist" <david@xxxxxxxxxx>
• To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
• Date: Wed, 30 Oct 2002 22:54:00 +0100

Thanks for your answer.
 
What is unclear to me, is the way these alledged packet filters actually
works.
 
Let`s say we build a filter allowing Inbound traffic to a HTTP server in
a dmz zone.
In my mind, packet filtering is static. This filter would allow the
packets to reach the
http server, but not the response to be sent back. My limited experience
with this, indicates
that the response actually IS allowed, which to me spells stateful:
Something must observe
the packets going in, build a statetable and allow packets to return in
the flow. This would
not be happening if the filter only did what its name says: Allows
one-way traffic only, since
connection oriented traffic require both way communication. Can I take
your SMTP example as
a confirmation of the above ?
 
 David
 
-----Original Message-----
From: John Tolmachoff [mailto:isalist@xxxxxxxxxxxx] 
Sent: 30. oktober 2002 22:38
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Stateful inspection
 
http://www.ISAserver.org
Inbound and Outbound pertain to the origination point.
 
For instance, to have a web server in the DMZ accessible to the Internet
you would need an inbound rule. If there is no outbound, you could not
reach a web site on the Internet from the DMZ.
 
ISA is doing stateful packet. What that is a comparison between the
inbound and outbound connections and if they match. Example: If you had
a outbound SMTP rule, ISA would allow the SMTP traffic out. But as part
of that session, there will be inbound traffic. Stateful packet
inspection will look at the inbound traffic, such as a response or
verification, and match it to an outbound to ensure that the inbound is
what the outbound was expecting.
 
The reason you have the option of both is to eliminate the amount of
rules, as each bit of traffic must traverse the rules until a match is
found. In a large enterprise with several hundred rules, this will make
a difference.
 
I believe this is the allow path: (Of course, will not be the first time
I am wrong.)
 
Is there a rule on the content?
Is there a rule on the user?
(One other I can not remember)
Allow with Stateful packet inspection.
 
John Tolmachoff MCSE, CSSA
IT Manager, Network Engineer
RelianceSoft, Inc.
La Habra, CA  90631
www.reliancesoft.com
 
-----Original Message-----
From: David Elmquist [mailto:david@xxxxxxxxxx] 
Sent: Wednesday, October 30, 2002 1:23 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] Stateful inspection
 
http://www.ISAserver.org
 Lately, I`ve been asked to make a comparison between ISA and other
firewalls, such as PIX and
FW1. One thing that`s been nagging me, is the ability to have a DMZ and
do stateful inspection on
Traffic there. I`m aware that ISA does in fact do stateful inspection on
traffic outbound traffic and
Traffic initiated by published server rules. My question is this:
 
Does ISA perform stateful inspection on traffic to a DMZ zone via packet
filters ?
 
The reason this is not obvious is the 3 types of traffic configurable in
a packet filter; Inbound, 
Outbound and both. I`ve noticed that for example a filter like TCP 3389
inbound would allow
Terminal services to be used on the ISA machine - but a typical
oldfashined filtering firewall
Would require a filter allowing both Inbound AND outbound access.
Stateful inspection would
Account for this. I`ve found no literature to back this up though...any
thoughts ?
 
Regards,
 
David Elmquist
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Exchange Server Resource Site: http://www.msexchange.org/
Windows Security Resource Site: http://www.windowsecurity.com/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
isalist@xxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Exchange Server Resource Site: http://www.msexchange.org/
Windows Security Resource Site: http://www.windowsecurity.com/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
david@xxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')

• » Stateful inspection
• » RE: Stateful inspection
• » RE: Stateful inspection
• » RE: Stateful inspection
• » RE: Stateful inspection
• » RE: Stateful inspection
• » RE: Stateful inspection
• » RE: Stateful inspection
• » RE: Stateful inspection
• » RE: Stateful inspection
• » RE: Stateful inspection
• » RE: Stateful inspection
• » RE: Stateful inspection
• » RE: Stateful inspection
• » RE: Stateful inspection
• » RE: Stateful inspection

• » Related posts
• » Previous by Date
• » Next by Date
• » This Month's Archive
• » Main Archive Page

• » View list details
• » Manage your subscription