RE: Reflexive AL and CBAC

From: Sam.MicroGate@usa.telekom.de
Date: Thu Oct 17 2002 - 12:09:56 GMT-3

• Next message: Ray Masbad: "Re: serial interface up and down"
• Previous message: mdye@bevillcntr.org: "RE: Reflexive AL and CBAC"
• Maybe in reply to: Sam.MicroGate@usa.telekom.de: "Reflexive AL and CBAC"
• Next in thread: Paul Borghese: "RE: Reflexive AL and CBAC"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Thank you all.

Nice explanation mdye.

Sam

-----Original Message-----
From: mdye@bevillcntr.org [mailto:mdye@bevillcntr.org]
Sent: Thursday, October 17, 2002 10:58 AM
To: Desimone, Aurelio; 'Sam.MicroGate@usa.telekom.de';
ccielab@groupstudy.com
Subject: RE: Reflexive AL and CBAC

Context-based access control is more comprehensive. It includes stateful
packet filtering. It's method of stateful packet filtering is more just
Layer 3 and Layer 4 header examination; CBAC actually examines a packet's
data content.

CBAC can distinguish beyond port numbers and IP addresses that reflexive
lists use to inspect the type of data being exchanged. CBAC examines the
payload of a packet to determine what application layer protocol is used.
CBAC is aware of how certain applications work. It then recognizes and
permits invited traffic, even if the outside host has responded using a port
number that is not yet in the state table. Some of the supported
applications include Real Audio and Microsoft's NetShow. That way CBAC
supports protocols that involve multiple channels, or ports. Most multimedia
streaming protocols, as well as some other protocols (such as FTP, RPC, and
SQL*Net), use multiple channels.

Of course the information about how the protocols work have to be supported
by the IOS. When using CBAC it is important to keep the IOS current as it
will support newer protocols and modifications to the already supported
protocols.

Does that help?
 

At 09:25 AM 10/17/02 -0500, Desimone, Aurelio wrote:
>I'm not positive, but I was under the impression that CBAC does
>statefull inspection where reflexive just times-out with inactivity
>
>Aurelio
>10267
>
>-----Original Message-----
>From: Sam.MicroGate@usa.telekom.de
>[mailto:Sam.MicroGate@usa.telekom.de]
>Sent: Thursday, October 17, 2002 8:36 AM
>To: ccielab@groupstudy.com
>Subject: Reflexive AL and CBAC
>
>
>Hello everyone,
>
>Can someone tell the main difference between the reflexive access list
>and class based access control? They seem very similar to me. The same
>use and the concept. The both filter traffic at the edge of the
>network. Only traffic that originated from the inside will pass to the
>outside unless you configure otherwise. Thanks.
>
>
>Sam
>
Mark A. Dye, CCNP, CCDP, CCAI, MCSE(W2K), MCSE(NT4), MCT, MCP+I, MCP, NET+,
CBET Technology Manager Bevill Manufacturing Technology Center 401 Trade
School Road Gadsden, AL 35903

Phone: 256.549.8165
Fax: 256.547.5790
email: mdye@bevillcntr.org http://www.bevillcntr.org/staff.html#mark

It is a funny thing about life: if you refuse to accept anything but the
best you very often get it. -William Somerset Maugham

• Next message: Ray Masbad: "Re: serial interface up and down"
• Previous message: mdye@bevillcntr.org: "RE: Reflexive AL and CBAC"
• Maybe in reply to: Sam.MicroGate@usa.telekom.de: "Reflexive AL and CBAC"
• Next in thread: Paul Borghese: "RE: Reflexive AL and CBAC"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Tue Nov 05 2002 - 08:35:49 GMT-3