Re: IP Inspect name NO-JAVA http java-list 1

From: Eric Phillips (ephillips@squick.cc)
Date: Fri Dec 07 2007 - 22:17:13 ART

• Next message: Eric Phillips: "Re: Passive Interface"
• Previous message: iosluver@gmail.com: "IE WB 4.1 Lab 20 Task 1.2"
• Maybe in reply to: Mike Stout: "IP Inspect name NO-JAVA http java-list 1"
• Next in thread: Mike Stout: "Re: IP Inspect name NO-JAVA http java-list 1"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hey Gary,

Remember that a java applet is being pulled from a website, not statelessly
pushed from the Internet down. CBAC works by deeply inspecting flows to try
and understand what they are actually doing. In the case of something like
a FTP flow, CBAC is able to look inside the FTP session and see the "PORT"
command and dynamically open the port requested by the "PORT" command.

So even though with something like an ACL you would be blocking on the
inbound direction of the outside interface, CBAC you are telling it what
direction the traffic flow is going.

And Farrukh's feature appears like it does not require an ACL to block the
traffic for CBAC to scan it if you have 12.3(x)T or higher. I have not
tested that though. But in most cases you have an access list on the
outside interface anyways, so I have never tested that.

-Eric

On 12/7/07, Gary Duncanson <gary.duncanson@googlemail.com> wrote:
>
> Eric I have been thinking about this again. Isn't Mike wanting to track
> traffic coming into the serial interface? He wants to protect his ethernet
> LAN from Java applets from the internet. Thats why I wonder does he not
need
> to inspect packets coming into the serial interface from the router? I
> read his description as meaning
>
> Internet - S0 - router - e0-LAN
>
> Or have I misinterpreted something?
>
> Thanks
>
> ----- Original Message -----
> *From:* Eric Phillips <ephillips@squick.cc>
> *To:* Gary Duncanson <gary.duncanson@googlemail.com>
> *Cc:* v.shekhar@yahoo.com ; michaelgstout@gmail.com ;
> ccielab@groupstudy.com
> *Sent:* Friday, December 07, 2007 1:36 PM
> *Subject:* Re: IP Inspect name NO-JAVA http java-list 1
>
>
> Hi Gary,
>
> CBAC is applied in the same direction as the traffic you want to track.
> So it could be applied on the inbound direction of the inside interface, or
> on the outbound direction of the outside interface.
>
> Putting CBAC on the inbound direction of the outside interface would only
> help incoming traffic. Which is important if you are using a router as a
> firewall and NAT device, and have a FTP server on the inside that you want
> the outside folks to access. But that is a different case from what Mike
> mentioned.
>
> I do have a question though about there not being an access-list applied
> to the interface though. With CBAC traffic inspection, the traffic must be
> denied for CBAC to pick it up. I am not familiar with the java filtering
> though, but I don't think CBAC will even inspect the traffic in any way
> without an ACL inbound on your outside ACL.
>
>
>
http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124cg/hsec_c/
part15/ch05/schcbac.htm
>
> Quote:
> External Interface
>
> Here are some guidelines for your access lists when you will be
> configuring Cisco IOS Firewall on an external interface:
>
> If you have an outbound IP access list at the external interface, the
> access list can be a standard or extended access list. This outbound access
> list should permit traffic that you want to be inspected by Cisco IOS
> Firewall. If traffic is not permitted, it will not be inspected by Cisco
IOS
> Firewall, but will be simply dropped.
>
> The inbound IP access list at the external interface must be an extended
> access list. This inbound access list should deny traffic that you want to
> be inspected by Cisco IOS Firewall. (Cisco IOS Firewall will create
> temporary openings in this inbound access list as appropriate to permit
only
> return traffic that is part of a valid, existing session.)
> ---
>
> Hope that helps,
>
> Eric M. Phillips
>
>
> On 12/7/07, Gary Duncanson <gary.duncanson@googlemail.com> wrote:
> >
> > Should that not be
> >
> > int Serial 0/0
> > > descr Link to Internet
> > > ip inspect NO-JAVA in
> > ----- Original Message -----
> > From: <v.shekhar@yahoo.com>
> > To: "Mike Stout" <michaelgstout@gmail.com>; < ccielab@groupstudy.com>
> > Sent: Friday, December 07, 2007 8:57 AM
> > Subject: Re: IP Inspect name NO-JAVA http java-list 1
> >
> >
> > > Looks fine to me.
> > >
> > > Thanks,
> > > -sHekHar.
> > > CCIE#17589/CISSP/RHCE.
> > >
> > > ----- Original Message ----
> > > From: Mike Stout <michaelgstout@gmail.com>
> > > To: ccielab@groupstudy.com
> > > Sent: Friday, December 7, 2007 5:00:16 AM
> > > Subject: IP Inspect name NO-JAVA http java-list 1
> > >
> > >
> > > Hello:
> > > Can anybody tell me if this is a correct config to protect the
> > Ethernet
> > > LAN
> > > from
> > >
> > > receiving JAVA APPLETS from the internet which is connected to my
> > > serial
> > >
> > > interface??
> > >
> > > Router
> > > ip inspect name NO-JAVA http java-list 1
> > > access-list 1 deny any
> > > !
> > > interface Ethernet0/0
> > > descr Corp LAN
> > > !
> > > int Serial 0/0
> > > descr Link to Internet
> > > ip inspect NO-JAVA out
> > >
> > > Please notice, ther is no ip access-group configured on the Ethernet
> > or
> > > Serial.
> > >
> > > Thank You
> > >
> > >
> > _______________________________________________________________________
> > > Subscription information may be found at:
> > > http://www.groupstudy.com/list/CCIELab.html
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> >

• Next message: Eric Phillips: "Re: Passive Interface"
• Previous message: iosluver@gmail.com: "IE WB 4.1 Lab 20 Task 1.2"
• Maybe in reply to: Mike Stout: "IP Inspect name NO-JAVA http java-list 1"
• Next in thread: Mike Stout: "Re: IP Inspect name NO-JAVA http java-list 1"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Tue Jan 01 2008 - 12:04:29 ARST