Cbac

acidsatyr · June 2010

Besides being able to define things like audit-trail alarms, or http specific java filtering,
is there a difference in how CBAC inspects traffic?
For example, lets say i have

ip inspect name FW telnet
ip inspect name FW ssh
ip inspect name FW dns
ip inspect name FW ftp
ip inspect name FW ftps
ip inspect name FW http
ip inspect name FW https
ip inspect name FW imaps
ip inspect name FW icmp router-traffic
ip inspect name FW tcp router-traffic
ip inspect name FW udp router-traffic

The last 3 lines are also going to let out any tcp/udp traffic from hosts which doesn't match more specific inspection rule. So my question is, is it needed to actually configure more specific inspeciton rules?
What's the advantage to that?

Thanks

mikej412 · June 2010

acidsatyr wrote: »

The last 3 lines are also going to let out any tcp/udp traffic from hosts which doesn't match more specific inspection rule.

The last 3 lines inspect traffic where the router is one of the communication end points (source or destination). The other statements are for the data flow through the router.

acidsatyr · June 2010

Hi mike,
the last 3 lines will also inspect traffic not originated by router, which is not matched by more specific inspection rule.

ColbyG · June 2010

acidsatyr wrote: »

Hi mike,
the last 3 lines will also inspect traffic not originated by router, which is not matched by more specific inspection rule.

You sure about that?

ip inspect name FW tcp

That command should inspect TCP traffic not originated by or destined to the router.

ip inspect name FW tcp router-traffic

That command should inspect TCP traffic originated by or destined to the router. I don't think it inspects non-router traffic.

No?

Cbac

Comments