RE: NBAR for Security Filtering

From: Lord, Chris (chris.lord@lorien.co.uk)
Date: Wed Dec 15 2004 - 16:37:58 GMT-3

• Next message: alee@cccis.com: "OT: Cisco 6509 switch"
• Previous message: Fellenbaum, John D: "RE: configure iphone manually instead of dhcp and tftp"
• Maybe in reply to: Lord, Chris: "NBAR for Security Filtering"
• Next in thread: Church, Chuck: "RE: NBAR for Security Filtering"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Many thanks for the replies. I had wondered about feature-set timing but
since the book makes several references to 12.3(4)T I'd just about ruled
that one out. Hadn't thought about performance issues though!

Regards,

Chris.

-----Original Message-----
From: Scott Morris [mailto:swm@emanon.com]
Sent: 15 December 2004 18:54
To: Lord, Chris; 'Group Study'
Subject: RE: NBAR for Security Filtering

When this book and the whitepapers were first written, 'drop' was likely
not
a valid entry for the policy.

Plus there is some argument about which parts of code take more
processing
power to execute (which nobody will likely have a true answer that could
be
released publically anyway!).

But mostly a timing thing.

Scott

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Lord, Chris
Sent: Wednesday, December 15, 2004 1:48 PM
To: Group Study
Subject: NBAR for Security Filtering

I was wondering whether anybody has read Deal's "Cisco Router Firewall
Security" book - section on using NBAR to filter attacks.

The method prescribed is to craft a policy map on the inbound interface
using NBAR to detect dangerous traffic (e.g. Code Red urls), mark
matching
packets with a dscp value and then use an acl on the outbound interface
to
detect the dscp value and deny the traffic.

Why not just drop the packets in the first place using the inbound
policy-map instead of letting it traverse the router first??

Any views out there on this??

TIA

Chris.

**********************************************************************
The information contained in this email is confidential and is intended
for
the recipient only. If you have received it in error, please notify us
immediately by reply email and then delete it from your system. Please
do
not copy it or use it for any purposes, or disclose its contents to any
other person or store or copy this information in any medium. The views
contained in this email are those of the author and not necessarily
those of
Lorien plc.

Thank you for your co-operation.
**********************************************************************

• Next message: alee@cccis.com: "OT: Cisco 6509 switch"
• Previous message: Fellenbaum, John D: "RE: configure iphone manually instead of dhcp and tftp"
• Maybe in reply to: Lord, Chris: "NBAR for Security Filtering"
• Next in thread: Church, Chuck: "RE: NBAR for Security Filtering"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Mon Jan 03 2005 - 10:31:27 GMT-3