From: John Underhill (stepnwlf@magma.ca)
Date: Thu Jun 17 2004 - 16:23:16 GMT-3
It is my understanding that traffic first passes through the packet filter
(directional acl), then qualifying traffic gets passed on to be inspected at
higher layers. Something like stateful inspection in CBAC, looks into the
payload data structures to see if the command set corresponds to the
protocol type, (does an smtp packet have Mail To, HELO or GET and CMD
instructions), but there are times where these mechanisms are working in
tandem. I remember seeing a thread on CBAC where the authors suggested if
there was no inbound acl, CBAC would still be inspecting the selected
traffic types, but consequently, my debugs of CBAC and sh commands showed an
idle inspection engine in the abscence of the preliminary filter. Other
firewalls use intelligent session filtering, like reflexive ACLs, that open
traffic flows originated from within the network, and use a predictive
algorithym to open the corresponding connection port between source and
destination nodes mapped in the state table. Point being that both these
methods require the acls as both preliminary filters and as enablers for the
higher level traffic filtering. As for IDS systems, it seems to make the
most sense that you would run this inside your network, after the filtering
has occured. (If you have ever looked through SNORT logs on a busy network,
you know why I favor this approach..).
----- Original Message -----
From: "Brad Spencer" <bradsp@outworks.net>
To: <security@groupstudy.com>; "'CCIELab'" <ccielab@groupstudy.com>;
<nobody@groupstudy.com>
Sent: Thursday, June 17, 2004 2:28 PM
Subject: Tying firewalls, ACLs and IDS together
> Hello Everyone,
>
> I am having difficulty understanding the processing steps taken when a
> packet arrives in the following scenarios. It's my feeling that an
> understanding of this will be crucial for the CCIE Security exam and for
day
> to day real world work. If anyone has any insight on this please reply all
> to help generate a discussion on the matter. Any links to information that
> could help answer the theme of these types of questions would be greatly
> appreciated.
>
>
>
> 2600XM and NM-CIDS-K9 installed.
>
> Is the packet processed by the IDS before a standard access list is
checked?
>
> Is the packet processed by the IDS before return CBAC traffic is checked?
>
> Is the packet processed by the IDS before NAT translates the address? If
> outside NAT is configured will the tcp reset or shun action be applied to
> the translated or real address?
>
>
>
> Note: It is my understanding that the single interface on the NM-CIDS-K9
is
> only for 'command and control' thus only 'command and control packets' are
> processed by the IDS CPU before reaching the router bus, thus immune to
any
> acls or NAT on the router side so I guess our discussion should focus on
the
> router interfaces.
>
>
>
> CAT6k with PFS/MSFC and IDSM-2 installed
>
> Is the packet processed by the IDS before an extended access list is
> checked?
>
> Is the packet processed by the IDS before a VLAN ACL is checked?
>
> Is the packet processed by the IDS before return CBAC traffic is checked?
> (i.e. the MLS IP inspect command)
>
> Is the packet processed by the IDS before NAT translates the address? If
> outside NAT is configured will the tcp reset or shun action be applied to
> the translated or real address?
>
>
>
> CAT6k with FWSM and IDSM-2 installed
>
> Is the packet processed by the IDS before NAT translates the address? If
> outside NAT is configured will the tcp reset or shun action be applied to
> the translated or real address?
>
> Is the packet processed by the IDS before a standard access list is
checked?
>
> Is the packet processed by the IDS before return CBAC traffic is checked?
>
> What are inside and outside NAT considerations when dealing with a switch
> with both modules installed?
>
>
>
> Thanks!
>
> Brad
>
> _______________________________________________________________________
> Please help support GroupStudy by purchasing your study materials from:
> http://shop.groupstudy.com
>
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Sat Jul 03 2004 - 19:40:43 GMT-3