The few exceptions to this are ICMP and IPSec connections which are not
currently stateful.
Amin Tora wrote:
>Is
it necessary within the rule base to provide for a connection going both
ways?>In
other words if i need http access for the entire network is it required
to do thefollowing two rules:>>Rule
X: Network Any
Http Accept>Rule
Y: Any
Network Http Accept>>Wouldn't
just having the first one allow Http to work both ways requests going
out and requested data and acks coming in?>Yes,
the first rule should allow response packets to come back in and you don't
need to implement Rule Y. Rule Y would allow ANYONE to initiate HTTP
connections to ALL systems on your network. (Bad idea)Stateful
inspection is setup to keep track of connections and allow responses to
established UDP and TCP connections to come back in. TCP
sessions time out based on what you have set in your Policy Properties'
Security tab (TCP Session Timeout - defaults to 3600sec). Also, you
may allow UDP responses for UDP connections (UDP virtual session timeouts
- defaults to 40sec).Amin
Tora, CISSP
ePlus Technology
http://www.eplus.com
NASDAQ: PLUS
Is it necessary within the rule base to
provide for a connection going both ways? In other words if i need
http access for the entire network is it required to do the following two
rules: Rule X:
Network Any
Http AcceptRule
Y: Any
Network Http Accept Wouldn't
just having the first one allow Http to work both ways requests going
out and requested data and acks coming in? Thanks, Ryan
Realivasquez
|