I have access-list on Cisco 2610 internet connection (IOS version 12.0.7T IP
Firewall feature)
it looks like
permit ....
permit ....
deny ip any any log-input
on interface there is
ip accounting
ip accounting access-violations
all logs are written to syslog
but when I compare
ip accounting violations
and look at syslog denied strings
there is different information
there are much more packets in access-violations then in denied
> -----Original Message-----
> From: Ben Nagy [mailto:[EMAIL PROTECTED]]
> Sent: Sunday, June 18, 2000 8:50 PM
> To: 'Levin, Alexandre'; '[EMAIL PROTECTED]'
> Subject: RE: CISCO Firewall Feature Set
>
>
> I had a quick look for this and didn't find anything that
> looked like a
> message...
>
> Could you elaborate a bit further, please? I've never seen
> any packets not
> get logged although I'm aware of an issue whereby the router
> logs the first
> packet and then summarises any additional identical drops
> after five (or so)
> minutes. Any limitations with the logging of deny statements
> on ACLs would
> interest me greatly.
>
> Cheers,
>
> --
> Ben Nagy
> Network Consultant, Volante IT
> PGP Key ID: 0x1A86E304 Mobile: +61 414 411 520
>
> > -----Original Message-----
> > From: Levin, Alexandre [mailto:[EMAIL PROTECTED]]
> > Sent: Saturday, 17 June 2000 2:32 AM
> > To: '[EMAIL PROTECTED]'
> > Cc: 'Joe Dauncey'; David Leach
> > Subject: RE: CISCO Firewall Feature Set
> >
> >
> > There is one interesting problem in Cisco access-lists and logging:
> > when you add log or log-input to access-list rules
> > not all packets are written to log. so you can not really
> > knows which packet
> > was dropped .... :(
> > and I don't know way how to log it .... :(
> >
> > If you interested - you can find discussion with
> > Subject: ip accounting and syslog
> > on deja.com
> >
> > but unfortunately with no answer .....
> >
> >
> > > -----Original Message-----
> > > From: Joe Dauncey [mailto:[EMAIL PROTECTED]]
> > > Sent: Friday, June 16, 2000 9:29 AM
> > > To: David Leach
> > > Cc: <
> > > Subject: Re: CISCO Firewall Feature Set
> > >
> > >
> > > David,
> > >
> > > From the work I have done looking at it, the hub of the
> > > Firewall Feature Set (Or CiscoSecure Integrated Software as
> > > they now call it) is basically access control lists. The
> > > access control lists are quite good, because they'll stop all
> > > packets bang dead, but it is kind of scary that they seem to
> > > be the hub of the 'feature'.
> > >
> > > The main problem we have seen from our concerns is that the
> > > logging on the router is awful. You need to allocate
> > > sufficient buffer space, and you could easily lose it.
> > > However, if you have a local UNIX box you can bung all your
> > > logging straight to it using syslog. It's not too bad when
> > > you do that. You can log all denies on the access list, and
> > > you can also log all CBAC connections. However, I
> > > am not sure what you would need to do to log other traffic. I
> > > guess set an access list up as a 'permit all log', or to some
> > > lesser degree.
> > >
> > > One of the other main issues is the current limitations of
> > > CBAC, which doesn't really handle a lot of protocols. The
> > > application filtering is trivial in some cases. For example,
> > > SMTP is hardcoded to allow EXPN and VRFY straight through as
> > > permitted commands, even though they can lead to information
> > > leaks. There is no way to change that. It is also limited to
> > > UDP and TCP traffic, which means
> > > that if you want to allow ICMP or anything else you have to
> > > start poking holes in your access lists, which can be dodgy !
> > > CBAC is supposed to check outgoing packets and then open a
> > > hole in your access list to allow their responses back in. It
> > > does this very well, and very responsively.
> > >
> > > There are also some anti-DoS measures, which are quite good.
> > > They've got some fairly flexible rules to govern inbound SYN
> > > connections and the like.
> > >
> > > To sum it up I have two main issues. As a router with a
> > > firewall feature I think it is really good. As a firewall on
> > > a router I am not so impressed. Too much is hardcoded with no
> > > chance to see what is really going on. My second issue is
> > > more to do with the people who support it. A few times now I
> > > have seen router people trying to do firewall security with a
> > > Cisco router, but without really a
> > > clue. As the firewall world and the router world have always
> > > been slightly different there are a lot of vital security
> > > skills that have not yet permeated across to the router world
> > > (the case is also vice versa, but not an issue here). The
> > > router people tend to think that if they can do routers then
> > > they can do firewalls, and so if they know IOS then they can
> > > configure a secure IOS firewall. I
> > > do both, and I deal with both, so I have seen it a lot, and I
> > > have seen, time after time, router people get it wrong. That
> > > is not to say that there aren't a lot of people who can sit
> > > in the middle, but I would be very hesitant about asking a
> > > load of router configurators to take over my firewalls !!
> > >
> > > Anyway, I hope this bit of personal opinion is of some use.
> > > The IOS is really much better a firewall that I ever
> > > expected, but I am still testing it and forming a final opinion.
> > >
> > > Cheers,
> > > Joe
> > >
> > > (personal opinions, represent only myself, etc....)
> > >
> > > David Leach wrote:
> > >
> > > > Has anyone used the FFS or can give recommendations for or
> > > against? A router engineer I'm trying to work with has
> > > suggested replacing all the firewalls in a proposed design
> > > with routers and Access control lists. I feel confident that
> > > I have the information necessary to make the argument against
> > > doing that. However, I don't want to be caught off guard by
> > > somehting I don't know much about.
> > > >
> > > > Any help is greatly appreciated.
> > > >
> > > > Dave Leach, MCSE+ I
> > > > Systems Security Engineer
> > > > EWA, Information and Infrastructure Technologies
> > > >
> > > > -
> > > > [To unsubscribe, send mail to [EMAIL PROTECTED] with
> > > > "unsubscribe firewalls" in the body of the message.]
> > >
> > >
> > > __________________________________________________
> > > Do You Yahoo!?
> > > Talk to your friends online with Yahoo! Messenger.
> > > http://im.yahoo.com
> > >
> > > -
> > > [To unsubscribe, send mail to [EMAIL PROTECTED] with
> > > "unsubscribe firewalls" in the body of the message.]
> > >
> > -
> > [To unsubscribe, send mail to [EMAIL PROTECTED] with
> > "unsubscribe firewalls" in the body of the message.]
> >
>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
