NBAR for Security Filtering

From: Lord, Chris (chris.lord@lorien.co.uk)
Date: Wed Dec 15 2004 - 15:48:24 GMT-3

• Next message: Scott Morris: "RE: NBAR for Security Filtering"
• Previous message: ccie2be: "Re: PPP Authentication"
• Next in thread: Scott Morris: "RE: NBAR for Security Filtering"
• Maybe reply: Scott Morris: "RE: NBAR for Security Filtering"
• Maybe reply: Lord, Chris: "RE: NBAR for Security Filtering"
• Maybe reply: Church, Chuck: "RE: NBAR for Security Filtering"
• Maybe reply: Brian McGahan: "RE: NBAR for Security Filtering"
• Maybe reply: ccie2be: "Re: NBAR for Security Filtering"
• Maybe reply: ccie2be: "Re: NBAR for Security Filtering"
• Maybe reply: Martin, David (Contractor): "RE: NBAR for Security Filtering"
• Maybe reply: Scott Morris: "RE: NBAR for Security Filtering"
• Maybe reply: Church, Chuck: "RE: NBAR for Security Filtering"
• Maybe reply: Martin, David (Contractor): "RE: NBAR for Security Filtering"
• Maybe reply: Church, Chuck: "RE: NBAR for Security Filtering"
• Maybe reply: Henk de Tombe: "RE: NBAR for Security Filtering"
• Maybe reply: Martin, David (Contractor): "RE: NBAR for Security Filtering"
• Maybe reply: Scott Morris: "RE: NBAR for Security Filtering"
• Maybe reply: ccie2be: "Re: NBAR for Security Filtering"
• Maybe reply: Church, Chuck: "RE: NBAR for Security Filtering"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

I was wondering whether anybody has read Deal's "Cisco Router Firewall
Security" book - section on using NBAR to filter attacks.

The method prescribed is to craft a policy map on the inbound interface
using NBAR to detect dangerous traffic (e.g. Code Red urls), mark
matching packets with a dscp value and then use an acl on the outbound
interface to detect the dscp value and deny the traffic.

Why not just drop the packets in the first place using the inbound
policy-map instead of letting it traverse the router first??

Any views out there on this??

TIA

Chris.

**********************************************************************
The information contained in this email is confidential and is intended for
the recipient only. If you have received it in error, please notify us
immediately by reply email and then delete it from your system. Please do not
copy it or use it for any purposes, or disclose its contents to any other
person or store or copy this information in any medium. The views contained in
this email are those of the author and not necessarily those of Lorien plc.

Thank you for your co-operation.
**********************************************************************

• Next message: Scott Morris: "RE: NBAR for Security Filtering"
• Previous message: ccie2be: "Re: PPP Authentication"
• Next in thread: Scott Morris: "RE: NBAR for Security Filtering"
• Maybe reply: Scott Morris: "RE: NBAR for Security Filtering"
• Maybe reply: Lord, Chris: "RE: NBAR for Security Filtering"
• Maybe reply: Church, Chuck: "RE: NBAR for Security Filtering"
• Maybe reply: Brian McGahan: "RE: NBAR for Security Filtering"
• Maybe reply: ccie2be: "Re: NBAR for Security Filtering"
• Maybe reply: ccie2be: "Re: NBAR for Security Filtering"
• Maybe reply: Martin, David (Contractor): "RE: NBAR for Security Filtering"
• Maybe reply: Scott Morris: "RE: NBAR for Security Filtering"
• Maybe reply: Church, Chuck: "RE: NBAR for Security Filtering"
• Maybe reply: Martin, David (Contractor): "RE: NBAR for Security Filtering"
• Maybe reply: Church, Chuck: "RE: NBAR for Security Filtering"
• Maybe reply: Henk de Tombe: "RE: NBAR for Security Filtering"
• Maybe reply: Martin, David (Contractor): "RE: NBAR for Security Filtering"
• Maybe reply: Scott Morris: "RE: NBAR for Security Filtering"
• Maybe reply: ccie2be: "Re: NBAR for Security Filtering"
• Maybe reply: Church, Chuck: "RE: NBAR for Security Filtering"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Mon Jan 03 2005 - 10:31:27 GMT-3