From: Jason (jgraun@xxxxxxxxx)
Date: Thu Apr 11 2002 - 17:34:45 GMT-3
Here is a good book that explains a lot of different types of
access-lists
Cisco Access Lists Field Guide from McGraw-Hill Technical Expert Series
ISBN 0-07-212335-4
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Tarek Sabry
Sent: Wednesday, April 10, 2002 10:48 PM
To: 'Lupi, Guy'; 'ying chang '; smann0762@hotmail.com; tsabry@slb.com;
ccielab@groupstudy.com
Subject: RE: IP TCP Intercept question
I agree with Guy that CBAC should be used here. Now if the requirement
is to
disconnect after a persiod of time whether active or passive then that's
a
bit odd. Again, Guy has thrown is some creative ideas, but I'm not sure
if
they address your specific situation or not. My guess is that you just
need
to get rid of those idle session.
You may want to either give us some more info.
Tarek
-----Original Message-----
From: Lupi, Guy [mailto:Guy.Lupi@eurekaggn.com]
Sent: Wednesday, April 10, 2002 8:09 PM
To: 'ying chang '; 'smann0762@hotmail.com '; 'tsabry@houston.sns.slb.com
'; 'tsabry@slb.com '; 'ccielab@groupstudy.com '
Subject: RE: IP TCP Intercept question
I think that based on the requirement CBAC may be a better answer here.
I
don't believe that you can specify a timeout on completed successful
sessions with TCP intercept. With CBAC however, you do have the ability
to
use the "ip inspect tcp idle-time", the default is 3600 seconds, but you
can
lower it to whatever you want. This will cause the router to close a
session that has been open and idle for the specified amount of time.
This
only specifies the time that a session is idle before it times out
however,
if the connection is active I don't believe that the timeout applies, it
must be idle. You can also specify it on a per-rule basis. CBAC also
has a
DOS attack prevention method. If the requirement truly is to disconnect
tcp
sessions after a period of time, active or not, then you may have to use
a
dynamic access-list, but the user would have to telnet to the router to
initiate the dynamic rule. How long is the absolute timeout supposed to
be?
You could use tcp intercept and an access list that references a time
range.
If the timeout was say an hour, you could do something like this. Based
on
the time range, sessions would last 59 minutes, be disconnected, and
then be
allowed again after a minute for another 59 minutes. This seems a
little
ridiculous, unless the absolute timeout is like 6 hours.
access-list 101 permit tcp any any time-range blah
!
time-range blah
periodic daily 0:01 to 1:00
periodic daily 1:01 to 2:00
periodic daily 2:01 to 3:00
periodic daily 3:01 to 4:00
-----Original Message-----
From: ying chang
To: smann0762@hotmail.com; tsabry@houston.sns.slb.com; tsabry@slb.com;
ccielab@groupstudy.com
Sent: 4/10/2002 7:21 PM
Subject: RE: IP TCP Intercept question
Can you let us know why you think you don't have the answer already? I'd
do
the samething based on my limited interpretation capability:
ip tcp intercept list 101
ip tcp intercept mode watch <--- send rst to drop half open connection
if
they don't make it in 30 secs
...
ip access-list 101 permit tcp 123.4.5.0 0.0.0.255 host 192.168.1.2 <---
watch subnet 123.4.5.0 to server 192.168.1.2
I don't think the tcp intercept options like max-incomplete high/low,
one-minute high/low fit the bill here. I wouldn't use them unless they
are
specifically asked.
Chang
>From: "scott mann" <smann0762@hotmail.com>
>Reply-To: "scott mann" <smann0762@hotmail.com>
>To: tsabry@houston.sns.slb.com, tsabry@slb.com, ccielab@groupstudy.com
>Subject: RE: IP TCP Intercept question
>Date: Wed, 10 Apr 2002 15:12:44 -0700
>
>My requirement is to stop a TCP SYN attack from one subnet to a server
on
>another. This is why I choose to use TCP intercept. However, I am also
>required to enforce an absolute timeout, but I don't know of any other
way
>besides using a Dynamic access-list, and mix the two together.
>
>Thanks for your help.
>
>
>>From: Tarek Sabry <tsabry@houston.sns.slb.com>
>>Reply-To: Tarek Sabry <tsabry@houston.sns.slb.com>
>>To: "'scott mann'" <smann0762@hotmail.com>, tsabry@slb.com,
>>ccielab@groupstudy.com
>>Subject: RE: IP TCP Intercept question
>>Date: Wed, 10 Apr 2002 15:27:23 -0500
>>
>>According to what I understand, this feature is for preventing DOS
attacks
>>created by floods of *unsuccessful" connections. I think you might
need
>>something else to achieve what you're looking for. Maybe someone can
>>enlighten us about anything that can be done on the Cisco equipment to
>>handle this.
>>
>>Sorry
>>Tarek
>>
>>-----Original Message-----
>>From: scott mann [mailto:smann0762@hotmail.com]
>>Sent: Wednesday, April 10, 2002 3:08 PM
>>To: tsabry@slb.com; ccielab@groupstudy.com
>>Subject: RE: IP TCP Intercept question
>>
>>
>>
>>Yes, but I would like to timeout the connection even if the user DOES
>>establish the connection...I want an absolute timeout.
>>
>>Thanks
>>
>>
>> >From: Tarek Sabry <tsabry@houston.sns.slb.com>
>> >Reply-To: tsabry@slb.com
>> >To: 'scott mann' <smann0762@hotmail.com>, ccielab@groupstudy.com
>> >Subject: RE: IP TCP Intercept question
>> >Date: Wed, 10 Apr 2002 14:58:41 -0500
>> >
>> >Scott
>> >
>> >It seems that what you need is to set the "watch-timeout" and not
the
>> >"connection-timeout". The former is defined as the "time allowed to
>>reach
>> >established state". So if the user fails to establish the connection
>>after
>> >this timeout, the router send a reset to the server to drop the
>>connection.
>> >
>> >So the right command (in my humble opinion) would be:
>> >
>> >"ip tcp intercept watch-timeout [seconds]"
>> >
>> >It sounds misleading to use the "watch" timeout when in "intercept"
>>mode,
>> >but that's what the documentation says!
>> >
>> >Let's hear from experts too ....
>> >
>> >Tarek
>> >
>> >
>> >-----Original Message-----
>> >From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf
Of
>> >scott mann
>> >Sent: Wednesday, April 10, 2002 2:24 PM
>> >To: ccielab@groupstudy.com
>> >Subject: IP TCP Intercept question
>> >
>> >
>> >Can anyone tell me if using the below command will disconnect the
>> >user/connection or simply cause the router to stop managing (keeping
>>stats
>> >or control of) the user/connection. I want to disconnect the
>> >user/connection
>> >after a specific timeout period irregardless of his
authentication/TCP
>> >status.
>> >
>> >"ip tcp intercept connection-timeout [seconds]"
>> >
>> >Below is the Cisco Link, but it is not specific.
>> >
>>
>http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr
/sec
>>u
>> >r_c/scprt3/scddenl.htm
>> >
>> >Thanks,
>> >Lab in 2 days.
>> >
>> >
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:58:05 GMT-3