From: Victor C. (cvictor@protokolgroup.com)
Date: Wed Oct 18 2006 - 22:12:18 ART
Do not know why you guys compare CBAC to TCP intercept?
Maybe because the configuration is almost similar (just tcp added in front
of inspect?), CBAC can do DOS Protection as well, but it works more
efficiently, since it uses a FAB to create the state table, and ACL are
created on the fly.. also you can modify the real time on how to suspend a
session, default 30 seconds, CBAC is more active (inspect) than TCP
Intercept, TCP Intercept works more as a watch for the connection, U can
configure this, and see that the connection is only dropped when the mode is
in watch mode, and you configured with the ip tcp intercept watch-timeout
Xseconds
Try this on a lab using a Router that Nat out the source IP address with
another IP Address reachable on your network... and do some port
translation, to convert ICMP send it out at the wire speed a convert them to
telnet packets, via PAT.
See that with the intercept mode, the connection has to wait to expire in
the router, also think, router has a lower CPU than WEB Servers (ask yahoo
for that) so creating a Block here (at the router), could cause that the
router be defeated by A DoS Attack also, who thought that Idea of
Intercepting the Traffic at the Router??
I would compare more CBAC with RACLs; the only difference I can find between
CBAC and RACLs is that CBAC is more users friendly, I mean you do not need
to reflect traffic to be evaluated back.
CBAC is stateful for TCP connections, but it must approximate UDP and ICMP
connections. It does this for "connectionless" sessions by assigning an idle
period to them, and that's is for those 2...
Example:
You can configure CBAC to evaluate the return traffic with these commands
R1#show run | in inspect|interface
ip inspect name CBAC-EXAMPLE tcp
ip inspect name CBAC-EXAMPLE udp
ip inspect name CBAC-EXAMPLE icmp
interface Loopback0
interface FastEthernet0/0
interface Serial1/0
ip inspect CBAC-EXAMPLE out
interface Serial1/1
interface Serial1/2
interface Serial1/0
ip address 150.1.12.1 255.255.255.0
ip access-group EXTERNAL-ACL in
ip inspect CBAC-EXAMPLE out
encapsulation ppp
serial restart-delay 0
clock rate 64000
end
R1#show ip access-list
Extended IP access list EXTERNAL-ACL
10 deny tcp any any log
20 deny udp any any log
30 deny ip any any
Now CBAC you do not need to specify how the return traffic is process, (well
yes with the inspect name protocol), but is much easier than reflecting
traffic back like in RACLs, also you can accommodate that dynamic acl
created by CBAC, be Disconfigured in a period of time..
R1(config)#ip inspect name CBAC-EXAMPLE icmp timeout 5
I did pass some icmp echos throughout that router, and got
*Mar 1 00:06:33.259: CBAC: ICMP Echo pkt 150.1.13.3 => 2.2.2.2
*Mar 1 00:06:33.259: CBAC: ICMP Echo pkt 150.1.13.3 => 2.2.2.2
*Mar 1 00:06:33.263: CBAC: ICMP Echo pkt 150.1.13.3 => 2.2.2.2
*Mar 1 00:06:33.331: CBAC: ICMP Echo Reply pkt 2.2.2.2 => 150.1.13.3
*Mar 1 00:06:33.379: CBAC: ICMP Echo pkt 150.1.13.3 => 2.2.2.2
*Mar 1 00:06:33.427: CBAC: ICMP Echo Reply pkt 2.2.2.2 => 150.1.13.3
R1#show debugging
Inspection:
INSPECT ICMP Inspection debugging is on
R1#
R1#
R1#show ip access-list
Extended IP access list EXTERNAL-ACL
permit icmp host 2.2.2.2 host 150.1.13.3 echo-reply (2 matches)
permit icmp any host 150.1.13.3 time-exceeded
permit icmp any host 150.1.13.3 unreachable
10 deny tcp any any log
20 deny udp any any log
30 deny ip any any
R1#show ip access-list
Extended IP access list EXTERNAL-ACL
10 deny tcp any any log
20 deny udp any any log
30 deny ip any any
It only took 2 sec to remove the ACL entrys
I would see CBAC as RACls with Steroids, since it can avoid create a Big
Security hole like DNS Spoofing, that RACls can create very easily
Just my 2 cents, because understanding every feature on CACL Would take a
whole bootcamp of 5 days
Victor.-
-----Mensaje original-----
De: nobody@groupstudy.com [mailto:nobody@groupstudy.com] En nombre de
johngibson1541@yahoo.com
Enviado el: Miircoles, 18 de Octubre de 2006 06:04 p.m.
Para: ccielab@groupstudy.com
Asunto: Re: Re: TCP Intercept v/s CBAC (ip inspect)
Also, CBAC can approximate UDP "sessions" (no return traffic treated as half
open).
TCP intercept can't handle UDP traffic.
John
This archive was generated by hypermail 2.1.4 : Wed Nov 01 2006 - 07:29:06 ART