Re: IP Inspect name NO-JAVA http java-list 1
From: Eric Phillips (ephillips@squick.cc)
Date: Fri Dec 07 2007 - 10:36:31 ART
Hi Gary,
CBAC is applied in the same direction as the traffic you want to track. So
it could be applied on the inbound direction of the inside interface, or on
the outbound direction of the outside interface.
Putting CBAC on the inbound direction of the outside interface would only
help incoming traffic. Which is important if you are using a router as a
firewall and NAT device, and have a FTP server on the inside that you want
the outside folks to access. But that is a different case from what Mike
mentioned.
I do have a question though about there not being an access-list applied to
the interface though. With CBAC traffic inspection, the traffic must be
denied for CBAC to pick it up. I am not familiar with the java filtering
though, but I don't think CBAC will even inspect the traffic in any way
without an ACL inbound on your outside ACL.
http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124cg/hsec_c/
part15/ch05/schcbac.htm
Quote:
External Interface
Here are some guidelines for your access lists when you will be configuring
Cisco IOS Firewall on an external interface:
�If you have an outbound IP access list at the external interface, the
access list can be a standard or extended access list. This outbound access
list should permit traffic that you want to be inspected by Cisco IOS
Firewall. If traffic is not permitted, it will not be inspected by Cisco IOS
Firewall, but will be simply dropped.
�The inbound IP access list at the external interface must be an extended
access list. This inbound access list should deny traffic that you want to
be inspected by Cisco IOS Firewall. (Cisco IOS Firewall will create
temporary openings in this inbound access list as appropriate to permit only
return traffic that is part of a valid, existing session.)
---
Hope that helps,
Eric M. Phillips
On 12/7/07, Gary Duncanson <gary.duncanson@googlemail.com> wrote:
>
> Should that not be
>
> int Serial 0/0
> > descr Link to Internet
> > ip inspect NO-JAVA in
> ----- Original Message -----
> From: <v.shekhar@yahoo.com>
> To: "Mike Stout" <michaelgstout@gmail.com>; <ccielab@groupstudy.com>
> Sent: Friday, December 07, 2007 8:57 AM
> Subject: Re: IP Inspect name NO-JAVA http java-list 1
>
>
> > Looks fine to me.
> >
> > Thanks,
> > -sHekHar.
> > CCIE#17589/CISSP/RHCE.
> >
> > ----- Original Message ----
> > From: Mike Stout <michaelgstout@gmail.com>
> > To: ccielab@groupstudy.com
> > Sent: Friday, December 7, 2007 5:00:16 AM
> > Subject: IP Inspect name NO-JAVA http java-list 1
> >
> >
> > Hello:
> > Can anybody tell me if this is a correct config to protect the Ethernet
> > LAN
> > from
> >
> > receiving JAVA APPLETS from the internet which is connected to my
> > serial
> >
> > interface??
> >
> > Router
> > ip inspect name NO-JAVA http java-list 1
> > access-list 1 deny any
> > !
> > interface Ethernet0/0
> > descr Corp LAN
> > !
> > int Serial 0/0
> > descr Link to Internet
> > ip inspect NO-JAVA out
> >
> > Please notice, ther is no ip access-group configured on the Ethernet or
> > Serial.
> >
> > Thank You
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> >
> >
> >
> >
> >
> >
> >
>
This archive was generated by hypermail 2.1.4
: Tue Jan 01 2008 - 12:04:29 ARST