I just passed my MTCNA and during the training we saw how to use statefull packet inspection in the firewall to only filter new connection to unload the filter.
I do understand the benefit of doing so, but my question is, can a hacker spoof the state of a packet to make the router believe it is an established or related packet?
Thank you
Martin
A packet of a TCP connection is established if the router has seen a full TCP threeway handshake. A packet of a UDP connection is established if the router is seeing return traffic. A packet is related if the service helpers (FTP, PPTP, SIP, etc.) has seen a new data connection being negotiated in the control channel of an existing established connection.
Hackers can potentially hijack a TCP session, but that is fairly unlikely and targeted.