Sunday, March 25, 2007

CBAC vulnerabilities

Ok, last night i blogged about CBAC and its powerful features. It is really a useful feature to have in your firewall. A sample configuration was included in that blog. Well, i only included a small snippet of the configuration but the fact is there is more than that. If you explore deeper, you will find additional features for CBAC. Sad thing to mention is older version of IOS using CBAC suffers from DoS attacks involving fragmentation of IP packets. (you can use hping to actually do fragmentation) So please patch your IOS version. More information can be found here:

http://www.cisco.com/warp/public/770/nifrag.shtml

Unfortunely, CBAC also suffers from another vulnerability which allows denied traffic to pass by the dynamic ACL. More can be found here:

http://www.cisco.com/warp/public/707/IOS-cbac-dynacl-pub.shtml

No comments: