Funny you should mention this.
CBAC is one of the components of the MCNS specialty and one of the strong
features of the IOS security now. I've read a bit in the Held and Hundley
book Cisco Access Lists Field Guide. Now that I have the means to do so, I
have been contemplating how to demonstrate CBAC to interested parties in a
way that can help al of us learn a little more. I'd like to be able to
demonstrate something other than ping and traceroute tests. Maybe if someone
has a telnet host we can use?
Telnet_Host-----internet------My_Router/with CBAC---|
|------------Another_Router/telnet into
it?and then telnet into the cbac router?
If the Cisco chat room is available, we can use that as a classroom of
sorts.
Contact me off line to hash out some ideas for this.
Chuck
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of
Dinesh_Kakkar
Sent: Tuesday, August 08, 2000 10:06 PM
To: [EMAIL PROTECTED]
Subject: enable security features with Cisco IOS using CBAC
Importance: High
Hello friends
Context-Based Access Control (CBAC) feature is very useful in cisco IOS, i
would like to implement the same in my network. Can any one put some more
light on the implementation how it is being implemented by you & how you did
that.
> I found that Context-Based Access Control (CBAC) feature in Cisco IOS
> has variety of options for in providing security.
> Here please find some more useful information about CBAC & reply if we can
> use this feature for our network.
>
> Service Providers offering managed network services to customers can
> enable security features in the Cisco IOS(r) software-based access routers
> that they install on their customers' premises. These capabilities help
> protect end customers against Denial of Service (DoS) attacks, intruders,
> and viruses. Service Providers, in effect, then, can layer a security
> component on top of their managed network services to help keep customers'
> internal information resources from being compromised - and their Web
> servers from falling prey to DoS attacks, which render them unavailable to
> users.
> TECHNOLOGY BACKGROUND
> One security feature in Cisco IOS software is Context-Based Access Control
> (CBAC). CBAC, a component of the Cisco IOS Firewall feature set, filters
> packets based on application-layer information, such as what kinds of
> commands are being executed within the session. For example, if a command
> that is not supported is discovered in a session, the packet can be denied
> access.
> The CBAC component of the Cisco IOS Firewall enhances security for TCP and
> User Datagram Protocol (UDP) applications that use well-known ports, such
> as port 80 for HTTP or port 443 for Secure Sockets Layer (SSL). It does
> this by scrutinizing source and destination addresses. Without CBAC,
> administrators can permit advanced application traffic only by writing
> permanent access control lists (ACLs). This approach leaves firewall doors
> open, so most administrators have tended to deny all such application
> traffic. With CBAC enabled, however, they can securely permit multimedia
> and other application traffic by opening the firewall as needed and
> closing it all other times.
> The Cisco IOS Firewall feature set can also be configured to block Java
> applets from unknown or untrusted sources to protect against attacks in
> the form of malicious commands or the introduction of viruses. A Java
> executable file can steal passwords or otherwise wreak havoc with a
> system. Filtering applets at the firewall centralizes the filtering
> function for end customers. This eases administration, because it is no
> longer necessary to disable Javascript on all Web browsers within an
> organization to protect against Java attacks.
> CONFIGURATION CONSIDERATIONS
> The Cisco IOS Firewall features, including CBAC and Java filtering, are
> available in version 11.2(11)P. However, additional protection and
> protocol support is added continually, so customers are encouraged to
> implement the latest version of the feature set. For example, security
> features that are new in Cisco IOS Release 12.0(5)T include the following:
>
> * Dynamic intrusion detection
> * LAN-based, dynamic, per-user authentication and authorization via
> TACACS+ and RADIUS authentication servers.
> * Ability to configure audit trails, alerts, and Java blocking on a
> per-application basis.
>
> These and other Cisco IOS Firewall features are available on the Cisco
> 800, 1600, 1700, 2500, 2600, 3600, 7100, 7200, RSM, and RSP7500 router
> platforms.
> BENEFITS SUMMARY
> Cisco IOS Firewall filtering capabilities enable a Service Provider to
> offer a managed network service with integrated security, which can be a
> point of differentiation for the provider. Bundling the security features
> into the customer's access router enables a Service Provider's customer to
> turn an existing Cisco router into a firewall without having to purchase
> additional devices. This is a convenient and cost-effective option for end
> customers.
> To learn more about Cisco IOS Firewall, CBAC, and Java blocking
> capabilities, visit the following URLs:
> http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/se
> cur_c/scprt3/scdcbac.htm
> http://www.cisco.com/univercd/cc/td/doc/pcat/iofwfts1.htm#xtocid165423
>
> Regards
> Dinesh
___________________________________
UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
FAQ, list archives, and subscription info: http://www.groupstudy.com
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
