Personally, I trust reflexive access lists more than CBAC.
Reflexive access lists are _not_ a kludge - on the contrary, they work in
the traditional manner for a stateful packet filter. When a new connection
is opened from inside the network an entry is written into a temporary ACL
in RAM which allows return traffic with the inverse source/dest ports etc.
I'm fairly sure that it's _just_ an ACL though - therefore it wouldn't have
the capacity to check sequence numbers, make sure that only packets with
flag combos that are legal for the current TCP state etc etc.
CBAC has some really good features - frag reassembly, session audit trails,
"inspection" of some simple protocols, dealing with active FTP properly etc.
The trouble is that it can only do these things up to a certain point. You
can send so many frags that the router stops reassembling them. You can
space your bogus commands over such a length of time that the router gives
up on holding onto the packets that contained the start of the illegal
command etc etc.
Basically I'd rather have a simple, almost certainly correctly coded
mechanism that I understand than some nebulous inspection engine which can
only play with a teeny bit of RAM while filtering. There is no docco that
I've seen which tells you which stuff is filtered and there is nothing I've
seen that indicates that there are versions of the inspect engine itself so
I have no assurance that it's a "live" product in terms of development.
Most people use edge routers as either a packet filter for a small, low-risk
network or as a fast first line of defence for another style of firewall.
With this in mind, I usually promote CBAC as a very small increase in
security over reflexive ACLs and (when I use it) tend to only inspect frags
and tcp/udp/ftp.
YMMV.
--
Ben Nagy
Network Consultant, Volante IT
PGP Key ID: 0x1A86E304 Mobile: +61 414 411 520
> -----Original Message-----
> From: Patrick Darden [mailto:[EMAIL PROTECTED]]
> Sent: Monday, 24 July 2000 11:14 PM
> To: [EMAIL PROTECTED]
> Subject: cisco Established keyword
>
> "Established" is not stateful in any sense of the word. It
> was an early
> kludge that was followed by reflexive access lists, another kludge.
>
> The FW IOS uses CBAC for true stateful inspection. CBAC
> works well, but
> has two problems: it is a tool, and depends upon the skill
> and knowledge
> of the person using it; and stateful inspection is completely
> baffled by
> tunnelling hacks that use ICMP, SSH, HTTPS, and other protocols
> (e.g. Loki).
>
>
> --Patrick Darden
> --Internetworking Manager
> --Athens Regional Medical Center
>
>
> You Wrote:
>
> 1) Every CISCO Router can by default do stateful tcp inspection
> ("established" keyword.
>
> 2) With the IOS Firewall Feature Set it can do full stateful
> inspection
> for tcp, udp, and icmp (CBAC and/or reflexive named access lists).
>
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
