Solved

Cisco IOS firewall - ip inspect name OUTSIDE TCP

Posted on 2008-10-20
4
948 Views
Last Modified: 2008-11-18
I am trying to make sense of the IP INSPECT statement of the Cisco IOS firewall. What does it mean when I have IP INSPECT NAME OUTSIDE TCP? or IP INSPECT NAME OUTSIDE ICMP? Does it mean that after the packet pass through the access list, it will be inspected by the IOS firewall and it the packet is not a TCP connection or an ICMP packet, the packet will be dropped? Thx
0
Comment
Question by:netdoc01
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
4 Comments
 
LVL 10

Expert Comment

by:kyleb84
ID: 22764264
It means that it will keep track of TCP connections, inspecting packets for abnormalities and/or possible attacks.

Same applies to ICMP, the firewall will inspect the packet, make sure everything looks ok in it, then pass it on.

If the packet is deemed bad, corrupt or invalid - even part of a possible attack, it will then be dropped.
0
 
LVL 10

Expert Comment

by:kyleb84
ID: 22764273
For example, if you do not include a

 "IP INSPECT NAME OUTSIDE UDP"

The firewall will not take any notice of UDP packets, and just pass them straight on to the destination.
0
 

Author Comment

by:netdoc01
ID: 22764328
"inspecting packets for abnormalities and/or possible attacks"

How can it determine if a packet is bad like you have mentioned above?
0
 
LVL 10

Accepted Solution

by:
kyleb84 earned 500 total points
ID: 22764370
For TCP connections, each packet has a set of "flags" in the header that control a connection, you wouldn't - for example see all SYN + RST + ACK flags set in the one packet (SYN = do a connect, RST = reset, ACK = acknowledge).

ICMP packets can contain invalid requests (Can't think of an example).

Some mixture of invalid flags / requests are well known attacks, other instances might just be data corruption that happened on the way.

The bottom line is that when it inspect TCP - it only looks at the TCP info header, not the data therein.

The firewall CAN do layer 4+ inspection as well, which actually takes a look at the data inside the packet and not just the header.

Layer 4+ protocols like SIP, HTTP, and FTP can all be monitored as well. This involves keeping track of such connections deep inside your TCP / UDP packet.

0

Featured Post

Retailers - Is your network secure?

With the prevalence of social media & networking tools, for retailers, reputation is critical. Have you considered the impact your network security could have in your customer's experience? Learn more in our Retail Security Resource Kit Today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In the hope of saving someone else's sanity... About a year ago we bought a Cisco 1921 router with two ADSL/VDSL EHWIC cards to load balance local network traffic over the two broadband lines we have, but we couldn't get the routing to work consi…
Let’s list some of the technologies that enable smooth teleworking. 
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

691 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question