We use CBAC as a usefull first line of defense before the firewall. Using
CBAC we can limit embryonic or half open connections, specifiy a maximum
number of incomplete handshakes, set thresholds for certain types of data,
limit java scripts and the level at which they operate, only allow
connections back through originating from the inside including udp apps etc.
etc.
That is how we use it, mainly as a first line of defense and to limit dos
attacks and attacks that rely on creating a large amount of connections or
bombardment.
-----Original Message-----
From: Dinesh_Kakkar [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, August 09, 2000 1:06 AM
To: [EMAIL PROTECTED]
Subject: enable security features with Cisco IOS using CBAC
Importance: High
Hello friends
Context-Based Access Control (CBAC) feature is very useful in cisco IOS, i
would like to implement the same in my network. Can any one put some more
light on the implementation how it is being implemented by you & how you did
that.
> I found that Context-Based Access Control (CBAC) feature in Cisco IOS
> has variety of options for in providing security.
> Here please find some more useful information about CBAC & reply if we can
> use this feature for our network.
>
> Service Providers offering managed network services to customers can
> enable security features in the Cisco IOS� software-based access routers
> that they install on their customers' premises. These capabilities help
> protect end customers against Denial of Service (DoS) attacks, intruders,
> and viruses. Service Providers, in effect, then, can layer a security
> component on top of their managed network services to help keep customers'
> internal information resources from being compromised - and their Web
> servers from falling prey to DoS attacks, which render them unavailable to
> users.
> TECHNOLOGY BACKGROUND
> One security feature in Cisco IOS software is Context-Based Access Control
> (CBAC). CBAC, a component of the Cisco IOS Firewall feature set, filters
> packets based on application-layer information, such as what kinds of
> commands are being executed within the session. For example, if a command
> that is not supported is discovered in a session, the packet can be denied
> access.
> The CBAC component of the Cisco IOS Firewall enhances security for TCP and
> User Datagram Protocol (UDP) applications that use well-known ports, such
> as port 80 for HTTP or port 443 for Secure Sockets Layer (SSL). It does
> this by scrutinizing source and destination addresses. Without CBAC,
> administrators can permit advanced application traffic only by writing
> permanent access control lists (ACLs). This approach leaves firewall doors
> open, so most administrators have tended to deny all such application
> traffic. With CBAC enabled, however, they can securely permit multimedia
> and other application traffic by opening the firewall as needed and
> closing it all other times.
> The Cisco IOS Firewall feature set can also be configured to block Java
> applets from unknown or untrusted sources to protect against attacks in
> the form of malicious commands or the introduction of viruses. A Java
> executable file can steal passwords or otherwise wreak havoc with a
> system. Filtering applets at the firewall centralizes the filtering
> function for end customers. This eases administration, because it is no
> longer necessary to disable Javascript on all Web browsers within an
> organization to protect against Java attacks.
> CONFIGURATION CONSIDERATIONS
> The Cisco IOS Firewall features, including CBAC and Java filtering, are
> available in version 11.2(11)P. However, additional protection and
> protocol support is added continually, so customers are encouraged to
> implement the latest version of the feature set. For example, security
> features that are new in Cisco IOS Release 12.0(5)T include the following:
>
> * Dynamic intrusion detection
> * LAN-based, dynamic, per-user authentication and authorization via
> TACACS+ and RADIUS authentication servers.
> * Ability to configure audit trails, alerts, and Java blocking on a
> per-application basis.
>
> These and other Cisco IOS Firewall features are available on the Cisco
> 800, 1600, 1700, 2500, 2600, 3600, 7100, 7200, RSM, and RSP7500 router
> platforms.
> BENEFITS SUMMARY
> Cisco IOS Firewall filtering capabilities enable a Service Provider to
> offer a managed network service with integrated security, which can be a
> point of differentiation for the provider. Bundling the security features
> into the customer's access router enables a Service Provider's customer to
> turn an existing Cisco router into a firewall without having to purchase
> additional devices. This is a convenient and cost-effective option for end
> customers.
> To learn more about Cisco IOS Firewall, CBAC, and Java blocking
> capabilities, visit the following URLs:
> http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/se
> cur_c/scprt3/scdcbac.htm
> http://www.cisco.com/univercd/cc/td/doc/pcat/iofwfts1.htm#xtocid165423
>
> Regards
> Dinesh
___________________________________
UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
FAQ, list archives, and subscription info: http://www.groupstudy.com
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
