topic Yes, FTP has seperate streams in Network Security

IP Inspect Protocols (Beginner)

whartigan1 — Tue, 12 Mar 2019 07:22:01 GMT

Hi All,

Recently passed CCNA and starting to look into CCNA security topics. I have a 1811 router I just set up as my NAT gateway. I've configured a implicit deny ACL for all inbound traffic from the internet and IP Inspect for tcp, udp, icmp originating from my network.

From what Im testing so far this seems to work pretty well for home based internet traffic, I've yet to see anything blocked that I initiate. Is anyone able to point me to a reference for what additional functionality exists if I specific on a per protocol basis? For instance I see all sorts of other options with ip inspect like ftp, http, citricmaclient, etc, but I'm not sure if theres any added benefit to listing them specifically as apposed to the blanket statements I made.

Limiting to more specific

Marius Gunnerud — Sat, 20 Feb 2016 20:51:36 GMT

Limiting to more specific ports can be done if you want your users to only be allowed to, for example, go to http and https, but not ftp. But more often than not, all traffic that is generated from the local LAN is permitted.

Please remember to select a correct answer and rate helpful posts

Thank you for the response.

whartigan1 — Sun, 21 Feb 2016 04:12:05 GMT

Thank you for the response.

Are there any scenarios where it is required to have specific protocols added? I was reading with FTP there are instances it won't work correctly without listing it explicitly. For everyday internet usage I want to make sure I have my ground covered.

Yes, FTP has seperate streams

Marius Gunnerud — Sun, 21 Feb 2016 20:42:11 GMT

Yes, FTP has seperate streams of traffic for request and reply so without any extra configuration the reply traffic will be denied. Basically any traffic that has separate data streams for request and reply.

Please remember to select a correct answer and rate helpful posts