Saturday, March 24, 2007

CBAC configuration example

The other day i was blogging about Cisco's CBAC feature that can be used a application firewall to monitor application layer protocols. Since it creates only session tables based on outbound traffic and blocking inbound traffic, this feature also blocks port scanning, a common technique used by hackers. If someone tries to port scan using nmap or some other tools, because this feature is blocking inbound connections, the port scans yields nothing useful, thus protecting the servers and shield off most hackers. Below is a basic CBAC configuration example.

config t
access-list 123 deny ip any any
access-list 129 permit tcp any any eq smtp
ip inspect name smtp tcp
interface Serial0/0
ip access-group 123 in
ip access-group 129 out
ip inspect smtp out
exit


Issue the show ip inspect allto see all configuration rules or show ip inspect sessionsto see the current CBAC in action.

And you can read more at the following links:

http://www.ciscopress.com/articles/article.asp?p=26533&seqNum=5&rl=1 (configuration step by step)

http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/120newft/120t/120t1/fw3600.htm (sample scenario)

http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_configuration_example09186a008064730a.shtml (simple example)

http://www.ciscopress.com/articles/article.asp?p=26533&rl=1 (CBAC to protect DoS)

8 comments:

Anonymous said...

Can anyone recommend the best RMM software for a small IT service company like mine? Does anyone use Kaseya.com or GFI.com? How do they compare to these guys I found recently: N-able N-central system network
? What is your best take in cost vs performance among those three? I need a good advice please... Thanks in advance!

Anonymous said...

I am truly thankful to the holder of this website
who has shared this fantastic article at at this time.


Also visit my homepage ... click Here

Anonymous said...

I always spent my half an hour to read this webpage's posts daily along with a cup of coffee.

my weblog Linked here

Anonymous said...

thanks good for topic free iPhone 5
tiestox 1488

Anonymous said...

What i do not understood is in truth how you're now not actually much more smartly-preferred than you may be right now. You're very intelligent.
You already know thus significantly in the case of this matter, made me in my opinion consider it from numerous varied angles.
Its like women and men don't seem to be involved except it's
one thing to do with Woman gaga! Your personal stuffs outstanding.
At all times deal with it up!

Also visit my webpage; I found it

Anonymous said...

Spot on with this write-up, I actually believe this site
needs a lot more attention. I'll probably be returning to read through more, thanks for the information!

Also visit my weblog read this post here

Anonymous said...

This is a topic which is near to my heart... Thank
you! Where are your contact details though?

Feel free to visit my website: page

Anonymous said...

WOW just what I was searching for. Came here by searching for
girl

My blog his explanation