RE: Re: TCP Intercept v/s CBAC (ip inspect)

From: Victor C. (cvictor@protokolgroup.com)
Date: Thu Oct 19 2006 - 00:35:39 ART

Ahhhhhh BTW
http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124cg/hsec_c
/part15/ch05/hfwicmp.htm#wp1027265
int e0
is missing
ip inspect test out

Just in case you cared :D

-----Mensaje original-----
De: Victor C. [mailto:cvictor@protokolgroup.com]
Enviado el: Miircoles, 18 de Octubre de 2006 09:12 p.m.
Para: 'johngibson1541@yahoo.com'; 'ccielab@groupstudy.com'
Asunto: RE: Re: TCP Intercept v/s CBAC (ip inspect)

Do not know why you guys compare CBAC to TCP intercept?

Maybe because the configuration is almost similar (just tcp added in front
of inspect?), CBAC can do DOS Protection as well, but it works more
efficiently, since it uses a FAB to create the state table, and ACL are
created on the fly.. also you can modify the real time on how to suspend a
session, default 30 seconds, CBAC is more active (inspect) than TCP
Intercept, TCP Intercept works more as a watch for the connection, U can
configure this, and see that the connection is only dropped when the mode is
in watch mode, and you configured with the ip tcp intercept watch-timeout
Xseconds

Try this on a lab using a Router that Nat out the source IP address with
another IP Address reachable on your network... and do some port
translation, to convert ICMP send it out at the wire speed a convert them to
telnet packets, via PAT.

See that with the intercept mode, the connection has to wait to expire in
the router, also think, router has a lower CPU than WEB Servers (ask yahoo
for that) so creating a Block here (at the router), could cause that the
router be defeated by A DoS Attack also, who thought that Idea of
Intercepting the Traffic at the Router??

I would compare more CBAC with RACLs; the only difference I can find between
CBAC and RACLs is that CBAC is more users friendly, I mean you do not need
to reflect traffic to be evaluated back.

CBAC is stateful for TCP connections, but it must approximate UDP and ICMP
connections. It does this for "connectionless" sessions by assigning an idle
period to them, and that's is for those 2...

Example:
You can configure CBAC to evaluate the return traffic with these commands

R1#show run | in inspect|interface
ip inspect name CBAC-EXAMPLE tcp
ip inspect name CBAC-EXAMPLE udp
ip inspect name CBAC-EXAMPLE icmp
interface Loopback0
interface FastEthernet0/0
interface Serial1/0
 ip inspect CBAC-EXAMPLE out
interface Serial1/1
interface Serial1/2

interface Serial1/0
 ip address 150.1.12.1 255.255.255.0
 ip access-group EXTERNAL-ACL in
 ip inspect CBAC-EXAMPLE out
 encapsulation ppp
 serial restart-delay 0
 clock rate 64000
end

R1#show ip access-list
Extended IP access list EXTERNAL-ACL
    10 deny tcp any any log
    20 deny udp any any log
    30 deny ip any any

Now CBAC you do not need to specify how the return traffic is process, (well
yes with the inspect name protocol), but is much easier than reflecting
traffic back like in RACLs, also you can accommodate that dynamic acl
created by CBAC, be Disconfigured in a period of time..

R1(config)#ip inspect name CBAC-EXAMPLE icmp timeout 5

I did pass some icmp echos throughout that router, and got

*Mar 1 00:06:33.259: CBAC: ICMP Echo pkt 150.1.13.3 => 2.2.2.2
*Mar 1 00:06:33.259: CBAC: ICMP Echo pkt 150.1.13.3 => 2.2.2.2
*Mar 1 00:06:33.263: CBAC: ICMP Echo pkt 150.1.13.3 => 2.2.2.2
*Mar 1 00:06:33.331: CBAC: ICMP Echo Reply pkt 2.2.2.2 => 150.1.13.3
*Mar 1 00:06:33.379: CBAC: ICMP Echo pkt 150.1.13.3 => 2.2.2.2
*Mar 1 00:06:33.427: CBAC: ICMP Echo Reply pkt 2.2.2.2 => 150.1.13.3

R1#show debugging
Inspection:
  INSPECT ICMP Inspection debugging is on
R1#
R1#
R1#show ip access-list
Extended IP access list EXTERNAL-ACL
     permit icmp host 2.2.2.2 host 150.1.13.3 echo-reply (2 matches)
     permit icmp any host 150.1.13.3 time-exceeded
     permit icmp any host 150.1.13.3 unreachable
    10 deny tcp any any log
    20 deny udp any any log
    30 deny ip any any
R1#show ip access-list
Extended IP access list EXTERNAL-ACL
    10 deny tcp any any log
    20 deny udp any any log
    30 deny ip any any

It only took 2 sec to remove the ACL entrys

I would see CBAC as RACls with Steroids, since it can avoid create a Big
Security hole like DNS Spoofing, that RACls can create very easily

Just my 2 cents, because understanding every feature on CACL Would take a
whole bootcamp of 5 days

Victor.-
 

-----Mensaje original-----
De: nobody@groupstudy.com [mailto:nobody@groupstudy.com] En nombre de
johngibson1541@yahoo.com
Enviado el: Miircoles, 18 de Octubre de 2006 06:04 p.m.
Para: ccielab@groupstudy.com
Asunto: Re: Re: TCP Intercept v/s CBAC (ip inspect)

Also, CBAC can approximate UDP "sessions" (no return traffic treated as half
open).

TCP intercept can't handle UDP traffic.

John

This archive was generated by hypermail 2.1.4 : Wed Nov 01 2006 - 07:29:06 ART