Firewalls: Ever seen this in practice??

Firewalls
(November 1997)

Indexed By Thread: [Previous] [Next]

Subject:	Ever seen this in practice??
From:	Chris Brenton <cbrenton @ sover . net>
Date:	Mon, 03 Nov 1997 21:49:02 -0500
To:	firewalls @ greatcircle . com
Reply-to:	cbrenton @ sover . net

I was flipping through some Cisco training material and ran across a
communication property that I do not believe I have ever seen in the
field.

The subject was regarding how segments are handled at the transport
layer. The text stated that when there are multiple sessions taking
place between two IP hosts, that the sessions could be multiplexed
together in order to decrease the number of required packets.

In other words, let's assume host "A" has three users logged on who all
have active Telnet sessions taking place to host "B". According to the
text, these three sessions could be combined into a single IP packet
using multiple transport headers to distinguish each unique session
(i.e. source and reply ports) and multiple payloads.

In fact, it was explained to me that all traffic does not have to be
initiated from the same host or even be the same transport or service.
For example I could be using HTTP from host "A" to "B" while host "B"
has initiated a Telnet and SNMP back to host "A". All three sessions
could me multiplexed into the same set of IP packets. While normally I
place little weight in events I have never measured with an analyzer,
the source of this info was the Cisco training manuals. I did however
find some other things that I _know_ are mistakes, but we will not go
there... <g>

So has anyone actually ever seen this before? If so, how does a firewall
deal with this type of connection? This would speak volumes to
inspecting payload. I would assume that a firewall/filter that simply
makes decisions based upon the data located at a certain offset from the
preamble field would probably miss this.

I would also assume that the support of this type of multiplexing would
be vendor specific. Anyone out there doing it?

Thanks in advance!

Chris

**************************************
cbrenton @
 sover .
 net
http://www.amazon.com/exec/obidos/ats-query/0740-8883012-887529

"We've heard that a million monkeys at a million keyboards 
could produce the Complete Works of Shakespeare; now, 
thanks to the Internet, we know this is not true."

Follow-Ups:

Re: Ever seen this in practice??
From: Malcolm Mladenovic <mbm @ fjcomp . com>
Re: Ever seen this in practice??
From: Bernd Eckenfels <lists @ lina . inka . de>

Indexed By Date	Previous:	Re: PPTP configuration From: Kevin Steves <stevesk @ nsr . hp . com>
Indexed By Date	Next:	Re: "SYN" protection product leads... From: "Lionel MARIE" <Lionel . MARIE @ imaginet . fr>
Indexed By Thread	Previous:	RE: SCO how secure ? From: G2 Security Division <AFZJ-I-S @ IRWIN . ARMY . MIL>
Indexed By Thread	Next:	Re: Ever seen this in practice?? From: Bernd Eckenfels <lists @ lina . inka . de>