From: Scott Morris (swm@emanon.com)
Date: Wed Dec 15 2004 - 15:54:09 GMT-3
When this book and the whitepapers were first written, 'drop' was likely not
a valid entry for the policy.
Plus there is some argument about which parts of code take more processing
power to execute (which nobody will likely have a true answer that could be
released publically anyway!).
But mostly a timing thing.
Scott
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Lord, Chris
Sent: Wednesday, December 15, 2004 1:48 PM
To: Group Study
Subject: NBAR for Security Filtering
I was wondering whether anybody has read Deal's "Cisco Router Firewall
Security" book - section on using NBAR to filter attacks.
The method prescribed is to craft a policy map on the inbound interface
using NBAR to detect dangerous traffic (e.g. Code Red urls), mark matching
packets with a dscp value and then use an acl on the outbound interface to
detect the dscp value and deny the traffic.
Why not just drop the packets in the first place using the inbound
policy-map instead of letting it traverse the router first??
Any views out there on this??
TIA
Chris.
**********************************************************************
The information contained in this email is confidential and is intended for
the recipient only. If you have received it in error, please notify us
immediately by reply email and then delete it from your system. Please do
not copy it or use it for any purposes, or disclose its contents to any
other person or store or copy this information in any medium. The views
contained in this email are those of the author and not necessarily those of
Lorien plc.
Thank you for your co-operation.
**********************************************************************
This archive was generated by hypermail 2.1.4 : Mon Jan 03 2005 - 10:31:27 GMT-3