[c-nsp] What's the value of ASA/FWSM TCP state bypass?

Ge Moua moua0100 at umn.edu
Tue Nov 10 16:42:10 EST 2009


I've always been leery of this feature; I've consider using it in the 
past to troubleshoot badly written apps that mucks up tcp 3-way 
handshakes/4-way teardowns; I can see this as a quick & dirty mechanism 
to bypass the stateful inspection engine without taking the firewall 
logically out of the data path; I'd be careful with using this feature 
without serious consideration of consequences; I also don't like the 
fact that it changes the default "stateful inspection" behavior.

I'd also be interested to hear what other folks think about this..

Regards,
Ge Moua | Email: moua0100 at umn.edu

Network Design Engineer
University of Minnesota | Networking & Telecommunications Services



Peter Rathlev wrote:
> On Tue, 2009-11-10 at 10:44 -0600, James Slepicka wrote: 
>   
>> Just keep in mind that traffic through the firewalls usually* needs to
>> be symmetric.  Be sure to account for that in your design.
>>
>> * 
>> https://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/conns_tcpstatebypass.html
>>     
>
> I've read about this, but I fail to see what the point is. If the
> firewall doesn't do stateful inspection, then why use a firewall? Why
> not just a router/switch with L4 ACLs?
>
> What am I missing?
>
>   


More information about the cisco-nsp mailing list