RE: TCP intercept in intercept mode

From: Victor Cappuccio (cvictor@protokolgroup.com)
Date: Mon Jul 10 2006 - 11:29:22 ART

• Next message: Guyler, Rik: "RE: OT - Cisco phones and Voice VLAN"
• Previous message: Brian McGahan: "RE: BW guarantee without CBQ"
• Maybe in reply to: Radoslav Vasilev: "TCP intercept in intercept mode"
• Next in thread: Victor Cappuccio: "RE: TCP intercept in intercept mode"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi Radoslav,

http://www.windowsecurity.com/whitepapers/Secure_IOS_Template_Version_22.htm
l

Regards
Victor.-

-----Mensaje original-----
De: nobody@groupstudy.com [mailto:nobody@groupstudy.com] En nombre de
Radoslav Vasilev
Enviado el: Lunes, 10 de Julio de 2006 09:52 a.m.
Para: Cisco certification
Asunto: TCP intercept in intercept mode

Hi Group,

After checking cisco.com and the arhives, i still can't understand is the
following at all possible or not:

A router is required to `act as a proxy` between the Internet and a local
web server. (IEWB lab14, task 9.1)
This brings us to the idea of intercept mode for the tcp intercept.

let's say the web server is at:
access-list 102 permit tcp any host 167.1.4.119

ip tcp intercept list 102

! the default mode anyway
ip tcp intercept mode intercept

now, and what confuses me, is: ``the router should send a reset for any tcp
session that have not reach the established state after 30 seconds``.

This confuses me, because from what i know about this feature, when the
router is in intercept mode, it receives the initial SYN, replies with
SYN+ACK to the client/attacker and waits for reply (ACK). So, i beleive that
in this mode the router will never send RST to the client/attacker and for
the purposes of internal maintenance will delete the table entry when it
enters aggresive mode (when it need to start deleting old entires, ip tcp
intercept max-incomplete reached for example).

The IE solution suggest using ``ip tcp intercept watch-timeout``, but on CCO
this command is explecitly stated to be working for the passive (watch) mode
only:

<doc cd>
Use this command if you have set the TCP intercept to passive watch mode and
you want to change the default time the connection is watched. During
aggressive mode, the watch timeout time is cut in half.
</doc cd>

My questions:
-what is the right behaviour in tcp intercept mode (does the router send
resets)
- if it does - why the heck? the http client is either too slow(that's
highly unlikelly even) or an attacker with spoofed IP so the RST would be
lost anyway
- how is the internal maintenace organized in intercept mode - is it managed
with the `ip tcp intercept max-incomplete` settings (or `ip tcp intercept
one-minute ***``) or is the command `ip tcp intercept watch-timeout
applicable in intercept mode?

Thanks for your help!
Rado

• Next message: Guyler, Rik: "RE: OT - Cisco phones and Voice VLAN"
• Previous message: Brian McGahan: "RE: BW guarantee without CBQ"
• Maybe in reply to: Radoslav Vasilev: "TCP intercept in intercept mode"
• Next in thread: Victor Cappuccio: "RE: TCP intercept in intercept mode"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Tue Aug 01 2006 - 07:13:47 ART