From: Brad Spencer (bradsp@outworks.net)
Date: Thu Jun 17 2004 - 17:20:52 GMT-3
So, I think we may be able to answer one of the line items that deal with
(Cat6K PFS/MSFC)using VACLs with IDSM-2. <Fingers crossed>
Original Question:
Is the packet processed by the IDS before return CBAC traffic is checked?
(i.e. the MLS IP inspect command)
Answer:
It depends on how the ACL is applied and the purpose of the ACL.
Security ACL used for capturing:
A VLAN may not have ('IP Inspect' CBAC) configured along with a Security
VACL because return traffic is ignored by the VACL. So if the IDSM-2 sensor
relies on the VLAN ACL to receive packets it will not receive the returned
CBAC packets. Instead the 'MLS IP IDS' command is used to apply an extended
ACL to the VLAN which is designed to not allow CBAC return traffic to ignore
the ACL. Is this correct?
Standard ACL for traffic blocking:
CBAC return traffic ignores the 'traffic blocking extended ACL' applied to
the VLAN so this traffic is processed by the sensor. Assuming the sensor
port is trunking the VLAN in question.
Does this 'Answer' the one 'Original Question' posed?
Thanks,
Brad
-----Original Message-----
From: John Underhill [mailto:stepnwlf@magma.ca]
Sent: Thursday, June 17, 2004 3:23 PM
To: Brad Spencer; 'CCIELab'; nobody@groupstudy.com
Subject: Re: Tying firewalls, ACLs and IDS together
It is my understanding that traffic first passes through the packet filter
(directional acl), then qualifying traffic gets passed on to be inspected at
higher layers. Something like stateful inspection in CBAC, looks into the
payload data structures to see if the command set corresponds to the
protocol type, (does an smtp packet have Mail To, HELO or GET and CMD
instructions), but there are times where these mechanisms are working in
tandem. I remember seeing a thread on CBAC where the authors suggested if
there was no inbound acl, CBAC would still be inspecting the selected
traffic types, but consequently, my debugs of CBAC and sh commands showed an
idle inspection engine in the abscence of the preliminary filter. Other
firewalls use intelligent session filtering, like reflexive ACLs, that open
traffic flows originated from within the network, and use a predictive
algorithym to open the corresponding connection port between source and
destination nodes mapped in the state table. Point being that both these
methods require the acls as both preliminary filters and as enablers for the
higher level traffic filtering. As for IDS systems, it seems to make the
most sense that you would run this inside your network, after the filtering
has occured. (If you have ever looked through SNORT logs on a busy network,
you know why I favor this approach..).
----- Original Message -----
From: "Brad Spencer" <bradsp@outworks.net>
To: <security@groupstudy.com>; "'CCIELab'" <ccielab@groupstudy.com>;
<nobody@groupstudy.com>
Sent: Thursday, June 17, 2004 2:28 PM
Subject: Tying firewalls, ACLs and IDS together
> Hello Everyone,
>
> I am having difficulty understanding the processing steps taken when a
> packet arrives in the following scenarios. It's my feeling that an
> understanding of this will be crucial for the CCIE Security exam and for
day
> to day real world work. If anyone has any insight on this please reply all
> to help generate a discussion on the matter. Any links to information that
> could help answer the theme of these types of questions would be greatly
> appreciated.
>
>
>
> 2600XM and NM-CIDS-K9 installed.
>
> Is the packet processed by the IDS before a standard access list is
checked?
>
> Is the packet processed by the IDS before return CBAC traffic is checked?
>
> Is the packet processed by the IDS before NAT translates the address? If
> outside NAT is configured will the tcp reset or shun action be applied to
> the translated or real address?
>
>
>
> Note: It is my understanding that the single interface on the NM-CIDS-K9
is
> only for 'command and control' thus only 'command and control packets' are
> processed by the IDS CPU before reaching the router bus, thus immune to
any
> acls or NAT on the router side so I guess our discussion should focus on
the
> router interfaces.
>
>
>
> CAT6k with PFS/MSFC and IDSM-2 installed
>
> Is the packet processed by the IDS before an extended access list is
> checked?
>
> Is the packet processed by the IDS before a VLAN ACL is checked?
>
> Is the packet processed by the IDS before return CBAC traffic is checked?
> (i.e. the MLS IP inspect command)
>
> Is the packet processed by the IDS before NAT translates the address? If
> outside NAT is configured will the tcp reset or shun action be applied to
> the translated or real address?
>
>
>
> CAT6k with FWSM and IDSM-2 installed
>
> Is the packet processed by the IDS before NAT translates the address? If
> outside NAT is configured will the tcp reset or shun action be applied to
> the translated or real address?
>
> Is the packet processed by the IDS before a standard access list is
checked?
>
> Is the packet processed by the IDS before return CBAC traffic is checked?
>
> What are inside and outside NAT considerations when dealing with a switch
> with both modules installed?
>
>
>
> Thanks!
>
> Brad
>
> _______________________________________________________________________
> Please help support GroupStudy by purchasing your study materials from:
> http://shop.groupstudy.com
>
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Sat Jul 03 2004 - 19:40:43 GMT-3