From: Ahsan Mohiuddin (ahsan.mohiuddin@gmail.com)
Date: Sun Aug 31 2008 - 09:27:51 ART
Hello Guys,
thanks for your feedback. Joe, thanks for your detailed response, and
everything would have been crystal clear had Nasim not suggested exactly the
opposite possibility, that I was also contemplating; the possibility that,
when CBAC is applied outbound to unprotected-facing interface then the rate
of max-incomplete connections of the *return traffic* (coming from the
Unprotected network) is measured.
So, I rolled up my sleeves and set out to test it both ways. What I found
out? Joe's approach is correct, Nasim's is not.
I see this when applied the inspect rule is applied inbound on the
unprotected-facing interface:
**Mar 1 00:08:31.131: %FW-4-HOST_TCP_ALERT_ON: Max tcp half-open
connections (1) exceeded for host 10.0.0.6.
*Mar 1 00:08:31.139: %FW-2-BLOCK_HOST: Blocking new TCP connections to host
10.0.0.6 for 10 minutes (half-open count 1 exceeded).*
No such response is seen when inspect rule is applied outbound on the
unprotected-facing interface.
So I hope its now correct to think that CBAC has two distinct functions, one
as TCP half-open connection regulator (much like TCP intercept), the other
as protecter of an "inside" network by allowing only return traffic to enter
the protected network (similar to "established" keyword in an ACL or like
the Refliexive ACL). Is this thinking correct?
I thank you both for taking the time to help me out!
Thanks and regards,
~Ahsan
On Sat, Aug 30, 2008 at 10:10 PM, Joseph Brunner <joe@affirmedsystems.com>wrote:
> Perhaps the best CBAC question I have ever seen Ahsan! Thank you.
>
> Below is an excerpt from my CCNP workbook-
>
> Note: (The serial interfaces lead to the internet). The CBAC policy is
> APPLIED INBOUND on the public interface; this causes the CBAC server DOS
> protect policy to monitor connections made FROM the untrusted network and
> enforce limits (clamping) when traffic is headed towards the PROTECTED
> server farm.
>
> -Joe
>
> NYCORPHQ1 & NYCORPHQ2
>
> ip inspect log drop-pkt
> ip inspect max-incomplete low 200
> ip inspect max-incomplete high 600
> ip inspect one-minute low 100
> ip inspect one-minute high 300
> ip inspect tcp synwait-time 10
> ip inspect tcp max-incomplete host 75 block-time 10
> ip inspect name denialprotect http
> ip inspect name denialprotect https
> logging 10.254.0.19
>
>
> NYCORPHQ1
>
> interface serial0/0
> ip inspect denialprotect in
>
>
> NYCORPHQ2
>
> interface serial1/0
> ip inspect denialprotect in
>
>
> Verification;
>
> NYCORPHQ1#show ip inspect all
> Dropped packet logging is enabled
> Session audit trail is disabled
> Session alert is enabled
> one-minute (sampling period) thresholds are [100 : 300] connections
> max-incomplete sessions thresholds are [200 : 600]
> max-incomplete tcp connections per host is 75. Block-time 10 minutes.
> tcp synwait-time is 10 sec -- tcp finwait-time is 5 sec
> tcp idle-time is 3600 sec -- udp idle-time is 30 sec
> dns-timeout is 5 sec
> Inspection Rule Configuration
> Inspection name denialprotect
> http alert is on audit-trail is off timeout 3600
> https alert is on audit-trail is off timeout 3600
>
> Interface Configuration
> Interface Serial0/0
> Inbound inspection rule is denialprotect
> http alert is on audit-trail is off timeout 3600
> https alert is on audit-trail is off timeout 3600
> Outgoing inspection rule is not set
> Inbound access list is not set
> Outgoing access list is not set
>
>
>
> Note: Using CBAC/IOS Firewall to block denial of service attacks
>
> Content based application control uses connection clamping to limit the
> number of half-open tcp connections allowed globally, within one-minute and
> on a per host basis. Half-open connections exceeded the configured limits
> are dropped, until the number of half-open connection falls below the low
> water mark (threshold). On a per-host basis, a block-time is optionally
> configured to prevent new half-opens sessions for length of time specified.
>
> Additionally, TCP SYN packets can be monitored to ensure they reach the
> established state within a certain interval, or the session will be dropped
> by the IOS firewall.
>
> To log packets dropped by the firewall, the command "ip inspect log
> drop-pkt" may be configured.
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> Ahsan Mohiuddin
> Sent: Saturday, August 30, 2008 10:07 AM
> To: Cisco certification
> Subject: CBAC: how does "ip inspect max-incomplete" come into play?
>
> Hello Group,
>
> I don't understand how CBAC commands such as "ip inspect max-incomplete"
> and
> "ip inspect tcp max-incomplete host" etc come into effect. My understanding
> is that when you apply CBAC to an interface, connections can only be
> initiated from within the protected network, and dynamic openings are
> created for return traffic to be allowed back in.
>
> So, how do we get to have any "half-open" sessions at all? I mean if a DOS
> attack is underway, we would expect half-open (SYN-only) TCP packets piling
> up on one of the servers (on the inside). But since we aren't even allowing
> any new connections to be made from the outside, how does a DOS attack ever
> take place? So whats the use of the "ip inspect max-incomplete" ?
>
> Its getting confusing. This is my first time with CBAC :(
>
> ~Ahsan
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
This archive was generated by hypermail 2.1.4 : Mon Sep 01 2008 - 08:15:33 ART