Deny traffic of different protocol over specific ports!

[l1carter]

All,

I am new to the netscreen world but have been working firewalls / networks for some time now.

My question is:

I set up a statefull inspection of all packets that go over port 80 (web). If a user tries to telnet thru port 80 that user will be blocked for a specific time.

How does the netscrean know to block that type of traffic:

is it.. Netscreen has a profile of web (80) traffic and telnet does not look like that so it is denied...

or is it... Netscreen knows what telnet looks like and it knows that telnet is not allowed over port 80?

thanks,

Lee

 

[penauroth]

If you are new to netscreen products then you should go to this site:

http://www.netscreenforum.com

Paul

 

[NetEng631]

I would like to begin by saying I am not completely sure of this answer. So if Im wrong please be kind.

The way I understand it is that Netscreen screens the ports and sets up a session based on the IP address ports, etc.

If you tried to telnet on port 80 and the machine you were telneting to is listening for telnet on port 80 it should work. Basically this is how people get around YAHOO chat by sending it out port 80. The firewall only checks ip address port and protocols. So if I tried to telnet on port 80 but the machine was listening on port 23 ( I think 23 is Telnet I dont remember off the top of my head.)
then the connection will not get through.

I hope this helps.

 

[zausner]

I would have to agree with NetEng631.

Things are going to be a bit different with ScreenOS 5.0 and it's deep packet inspection, however for now as far into the header as the Netscreen will look is to see that it's a TCP port 80 packet, compare it to it's policy and send it on it's way if it's a match.