From: Mike Stout (michaelgstout@gmail.com)
Date: Sat Dec 08 2007 - 01:24:15 ART
My reference is "CCIE Security Practice Labs", and the solution I show is
the one provided. I am having a very difficult time understanding this
solution because it is so concise.
IP Inspect observes traffic as it goes in the direction stated in the
interface level command and allows established connections to return. So,
if I apply the inspection rule out to the internet on serial0/1/0, IP
Inspect should open a return session into my network even if I deny that
traffic using an access-list. The java applet filter must inspect outgoing
http requests and monitor the return traffic for the existance of JAVA
applets.
I was talking about this with a Security Admin and we were courious
about why CBAC needs a complimentry access-list statement when access-lists
can't inspect traffic inside of the http payload. I now wonder if the
feature Farrukh mentions is the point when CBAC became so robust.
On Dec 7, 2007 5:17 PM, Eric Phillips <ephillips@squick.cc> wrote:
> Hey Gary,
>
> Remember that a java applet is being pulled from a website, not
> statelessly
> pushed from the Internet down. CBAC works by deeply inspecting flows to
> try
> and understand what they are actually doing. In the case of something
> like
> a FTP flow, CBAC is able to look inside the FTP session and see the "PORT"
> command and dynamically open the port requested by the "PORT" command.
>
> So even though with something like an ACL you would be blocking on the
> inbound direction of the outside interface, CBAC you are telling it what
> direction the traffic flow is going.
>
> And Farrukh's feature appears like it does not require an ACL to block the
> traffic for CBAC to scan it if you have 12.3(x)T or higher. I have not
> tested that though. But in most cases you have an access list on the
> outside interface anyways, so I have never tested that.
>
> -Eric
>
>
> On 12/7/07, Gary Duncanson <gary.duncanson@googlemail.com> wrote:
> >
> > Eric I have been thinking about this again. Isn't Mike wanting to track
> > traffic coming into the serial interface? He wants to protect his
> ethernet
> > LAN from Java applets from the internet. Thats why I wonder does he not
> need
> > to inspect packets coming into the serial interface from the router? I
> > read his description as meaning
> >
> > Internet - S0 - router - e0-LAN
> >
> > Or have I misinterpreted something?
> >
> > Thanks
> >
> > ----- Original Message -----
> > *From:* Eric Phillips <ephillips@squick.cc>
> > *To:* Gary Duncanson <gary.duncanson@googlemail.com>
> > *Cc:* v.shekhar@yahoo.com ; michaelgstout@gmail.com ;
> > ccielab@groupstudy.com
> > *Sent:* Friday, December 07, 2007 1:36 PM
> > *Subject:* Re: IP Inspect name NO-JAVA http java-list 1
> >
> >
> > Hi Gary,
> >
> > CBAC is applied in the same direction as the traffic you want to track.
> > So it could be applied on the inbound direction of the inside interface,
> or
> > on the outbound direction of the outside interface.
> >
> > Putting CBAC on the inbound direction of the outside interface would
> only
> > help incoming traffic. Which is important if you are using a router as
> a
> > firewall and NAT device, and have a FTP server on the inside that you
> want
> > the outside folks to access. But that is a different case from what
> Mike
> > mentioned.
> >
> > I do have a question though about there not being an access-list applied
> > to the interface though. With CBAC traffic inspection, the traffic must
> be
> > denied for CBAC to pick it up. I am not familiar with the java
> filtering
> > though, but I don't think CBAC will even inspect the traffic in any way
> > without an ACL inbound on your outside ACL.
> >
> >
> >
>
> http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124cg/hsec_c/
> part15/ch05/schcbac.htm
> >
> > Quote:
> > External Interface
> >
> > Here are some guidelines for your access lists when you will be
> > configuring Cisco IOS Firewall on an external interface:
> >
> > If you have an outbound IP access list at the external interface, the
> > access list can be a standard or extended access list. This outbound
> access
> > list should permit traffic that you want to be inspected by Cisco IOS
> > Firewall. If traffic is not permitted, it will not be inspected by Cisco
> IOS
> > Firewall, but will be simply dropped.
> >
> > The inbound IP access list at the external interface must be an
> extended
> > access list. This inbound access list should deny traffic that you want
> to
> > be inspected by Cisco IOS Firewall. (Cisco IOS Firewall will create
> > temporary openings in this inbound access list as appropriate to permit
> only
> > return traffic that is part of a valid, existing session.)
> > ---
> >
> > Hope that helps,
> >
> > Eric M. Phillips
> >
> >
> > On 12/7/07, Gary Duncanson <gary.duncanson@googlemail.com> wrote:
> > >
> > > Should that not be
> > >
> > > int Serial 0/0
> > > > descr Link to Internet
> > > > ip inspect NO-JAVA in
> > > ----- Original Message -----
> > > From: <v.shekhar@yahoo.com>
> > > To: "Mike Stout" <michaelgstout@gmail.com>; < ccielab@groupstudy.com>
> > > Sent: Friday, December 07, 2007 8:57 AM
> > > Subject: Re: IP Inspect name NO-JAVA http java-list 1
> > >
> > >
> > > > Looks fine to me.
> > > >
> > > > Thanks,
> > > > -sHekHar.
> > > > CCIE#17589/CISSP/RHCE.
> > > >
> > > > ----- Original Message ----
> > > > From: Mike Stout <michaelgstout@gmail.com>
> > > > To: ccielab@groupstudy.com
> > > > Sent: Friday, December 7, 2007 5:00:16 AM
> > > > Subject: IP Inspect name NO-JAVA http java-list 1
> > > >
> > > >
> > > > Hello:
> > > > Can anybody tell me if this is a correct config to protect the
> > > Ethernet
> > > > LAN
> > > > from
> > > >
> > > > receiving JAVA APPLETS from the internet which is connected to my
> > > > serial
> > > >
> > > > interface??
> > > >
> > > > Router
> > > > ip inspect name NO-JAVA http java-list 1
> > > > access-list 1 deny any
> > > > !
> > > > interface Ethernet0/0
> > > > descr Corp LAN
> > > > !
> > > > int Serial 0/0
> > > > descr Link to Internet
> > > > ip inspect NO-JAVA out
> > > >
> > > > Please notice, ther is no ip access-group configured on the Ethernet
> > > or
> > > > Serial.
> > > >
> > > > Thank You
> > > >
> > > >
> > >
> _______________________________________________________________________
> > > > Subscription information may be found at:
> > > > http://www.groupstudy.com/list/CCIELab.html
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > >
>
> _____________________________________________________________________________
> _______
> > > > Be a better friend, newshound, and
> > > > know-it-all with Yahoo! Mobile. Try it now.
> > > > http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ
> > > >
> > > >
> > >
> _______________________________________________________________________
> > > > Subscription information may be found at:
> > > > http://www.groupstudy.com/list/CCIELab.html
> > >
> > >
> _______________________________________________________________________
> > > Subscription information may be found at:
> > > http://www.groupstudy.com/list/CCIELab.html
> > >
> >
> >
> >
> > --
> > Eric Phillips
> >
> > Senior Network Consultant
> > LTI Information Technology http://www.ltiit.com
> >
> > 501 Avis Drive
> > Ann Arbor, MI 48108
> > Phone: (734) 929-1400 Fax: (734) 929-1401
> >
> >
>
>
> --
> Eric Phillips
>
> Senior Network Consultant
> LTI Information Technology http://www.ltiit.com
>
> 501 Avis Drive
> Ann Arbor, MI 48108
> Phone: (734) 929-1400 Fax: (734) 929-1401
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Tue Jan 01 2008 - 12:04:29 ARST