From: Patrick Galligan (pgalligan@gmail.com)
Date: Wed Oct 10 2007 - 08:29:02 ART
On 10/10/07, Joseph Brunner <joe@affirmedsystems.com> wrote:
>
> -I wanted to start a discussion regarding handling routing protocols when
> using reflexive acl's and CBAC
>
I would think CBAC would be a lot simpler. Through any stateful
firewall you just inspect outbound tcp traffic (all or specific,
depending on your security policy) and don't need to specifically
allow inbound from the 'outside' BGP peer. The session can only be
established by the 'inside' BGP router but it hasn't been an issue on
any that I've configured.
"Task 7.2 Configure a traffic inspection policy on R6's G0/1 interface that
only permits return traffic that was originated within the network
Any routing protocols previously configured must work after this
policy is applied
If access-lists are used do not explicitly permit any routing protocol"
Was there any restriction on allowing all TCP? Would have been simpler
than the method you used?
This archive was generated by hypermail 2.1.4 : Fri Nov 16 2007 - 13:11:13 ART