i would expect VPN to be an acceptable answer to #2 :/ . either EZVPN or SSL VPN...
On Mon, Feb 14, 2011 at 1:11 PM, Jerome Dolphin <[email protected]> wrote: > I think because it would be horridly difficult and tedious to use FPM - you > would need to know the different types of 'bad' HTTP packets you are looking > for and how they manifest at a bit level, e.g. is 0x3452 8 bytes into the > payload a bad HTTP packet? What about 0xBE32? etc etc etc. How many > different ways could someone tunnel traffic in HTTP? - I bet there's a pile. > If you were using FPM, you'd need to know all the ways to cheat HTTP and > program the FPM match criteria accordingly. > > OR, you could just inspect HTTP with ZBF and let the inspection engine > worry about all the different ways HTTP can be abused : ) > > > > > > On Tue, Feb 15, 2011 at 6:56 AM, Pemasiri Devanarayana <[email protected] > > wrote: > >> Hi All, >> >> thanks for all your response.. I now understand we cant use role-base CLI >> for the 2nd question. but can someone give me the reason why cant we use >> FPM on 1st question?. >> >> thanks >> Pemasiri >> >> >> On Mon, Feb 14, 2011 at 8:08 PM, Tyson Scott <[email protected]> wrote: >> >>> 1. FPM would be difficult to use. The answer is the better option. >>> >>> 2. The key is " authenticate and authorize remote users with >>> >>> per-user level acess control *before*" >>> >>> >>> >>> >>> >>> >>> >>> *From:* [email protected] [mailto: >>> [email protected]] *On Behalf Of *Pemasiri >>> Devanarayana >>> *Sent:* Monday, February 14, 2011 8:14 AM >>> >>> *To:* [email protected] >>> *Subject:* [OSL | CCIE_Security] Yusuf's Flash Card - OEQ >>> >>> >>> >>> Hi, >>> >>> >>> >>> I just need some one's feedback on below two questions; >>> >>> >>> >>> 1) which cisco IOS feacture can prevent bad http packet from tunneling >>> malicious traffic >>> >>> - answer was ZFW >>> >>> why cant we considered FPM..? >>> >>> >>> >>> ) which IOS security technology can be used to authenticate and authorize >>> remote users with >>> >>> per-user level acess control before permiting access to local/network >>> services or hosts/servers >>> >>> -authentication proxy >>> >>> -why cant considerd role-base CLI >>> >>> >>> >>> >>> >> >> >> _______________________________________________ >> For more information regarding industry leading CCIE Lab training, please >> visit www.ipexpert.com >> >> > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
