- Posts: 80
- Thank you received: 0
CABC and creates a dynamic ACL - this scenario (curriculum)
17 years 7 months ago #21302
by zillah
I am aware how CBAC does work , please look at the figure below (step 2) :
img484.imageshack.us/img484/7679/cabcib1.jpg
In step 2, he says: " CBAC creates a dynamic ACL allowing return traffic back through the firewall "
Does he mean by: " CBAC creates a dynamic ACL,,,,etc ", the command line underneath it ? :
Access-list 102 permit TCP host 172.30.1.50 eq 23 host 10.0.0.3 eq 2447
img484.imageshack.us/img484/7679/cabcib1.jpg
In step 2, he says: " CBAC creates a dynamic ACL allowing return traffic back through the firewall "
Does he mean by: " CBAC creates a dynamic ACL,,,,etc ", the command line underneath it ? :
Access-list 102 permit TCP host 172.30.1.50 eq 23 host 10.0.0.3 eq 2447
17 years 7 months ago #21303
by Smurf
Wayne Murphy
Firewall.cx Team Member
www.firewall.cx
Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
Replied by Smurf on topic Re: CABC and creates a dynamic ACL - this scenario (curriculum)
I think its trying to say that it will dynamically create the line you have indicated. If you think about, you would normally create your own ACL that would allow traffic from any port to port 23. Then its saying the CBAC will then dynamically create a rule to allow the return traffic back out to the host.
Its very similar to a statful firewall, pretty much the same function as a pix for example, you specify a rule to allow traffic out and the return traffic is allowed back in.
Thats what it looks like to me
cheers
Its very similar to a statful firewall, pretty much the same function as a pix for example, you specify a rule to allow traffic out and the return traffic is allowed back in.
Thats what it looks like to me
cheers
Wayne Murphy
Firewall.cx Team Member
www.firewall.cx
Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
17 years 7 months ago #21311
by zillah
Second , why does CBAC create that specific ACL (i.e eq 23) only ? Can't it create other (eq 80, eq 21, etc) ?
Third why does "TCP" word in the command line come in the upper case (as we know cisco convention with keyword is lower case not upper case,,,,,,upper case for naming) ? Is it typo ?
Replied by zillah on topic Re: CABC and creates a dynamic ACL - this scenario (curriculum)
Yes this the behavior for stateful firewall.Its very similar to a statful firewall, pretty much the same function as a pix for example, you specify a rule to allow traffic out and the return traffic is allowed back in.
That means we do not need to create the ACL that is mentioned manually, it will be created automatically. That means he mentioned it in the slide only for explanation purpose ?I think its trying to say that it will dynamically create the line you have indicated.
Second , why does CBAC create that specific ACL (i.e eq 23) only ? Can't it create other (eq 80, eq 21, etc) ?
Third why does "TCP" word in the command line come in the upper case (as we know cisco convention with keyword is lower case not upper case,,,,,,upper case for naming) ? Is it typo ?
17 years 7 months ago #21319
by Smurf
Thats what i beleive, yes. You need to allow some form of traffic however the return traffic will be automatically allowed to return since CBAC will handle this as it knows its part of the communications.
It can if you allow a rule to allow traffic in the first place. I think its only used as an example and you will need to ensure that the port 23 traffic is allowed first before the return traffic will be allowed to travel back. Without this manual rule, the dynamic rules will not be created.
I think this is an exception. Not done much with CBAC however from configs i have seen, they have been in uppercase. I'm sure someone who does this in their day to day job can confirm
Wayne Murphy
Firewall.cx Team Member
www.firewall.cx
Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
Replied by Smurf on topic Re: CABC and creates a dynamic ACL - this scenario (curriculum)
That means we do not need to create the ACL that is mentioned manually, it will be created automatically. That means he mentioned it in the slide only for explanation purpose ?
Thats what i beleive, yes. You need to allow some form of traffic however the return traffic will be automatically allowed to return since CBAC will handle this as it knows its part of the communications.
Second , why does CBAC create that specific ACL (i.e eq 23) only ? Can't it create other (eq 80, eq 21, etc) ?
It can if you allow a rule to allow traffic in the first place. I think its only used as an example and you will need to ensure that the port 23 traffic is allowed first before the return traffic will be allowed to travel back. Without this manual rule, the dynamic rules will not be created.
Third why does "TCP" word in the command line come in the upper case (as we know cisco convention with keyword is lower case not upper case,,,,,,upper case for naming) ? Is it typo ?
I think this is an exception. Not done much with CBAC however from configs i have seen, they have been in uppercase. I'm sure someone who does this in their day to day job can confirm
Wayne Murphy
Firewall.cx Team Member
www.firewall.cx
Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
17 years 7 months ago #21322
by zillah
Replied by zillah on topic Re: CABC and creates a dynamic ACL - this scenario (curriculum)
Thanks smurf for your sharing and your effort
for more clarification and sharing knowledge, this is what I have been advised :
What he means is this.
the host 10.0.0.3 creates a telnet session (port 23) to the server 172.30.1.50. This is allowed out through the router.
On the router interface that connects to the 172.30.1.50 network there is an access-list that looks like
access-list 102 deny ip any any
and this access-list is applied in an inbound direction.
This will stop all inbound connections from outside.
What happens when the inside host telnets out is that a line is dynamically added to access-list 102. So now your access-list looks like this
access-list 102 permit tcp host 172.30.1.50 eq 23 host 10.0.0.3 eq 2447
access-list 102 deny ip any any,,,,or any other number
When the telnet session is finished the dynamically added line will disappear and your access-list will be
access-list 102 deny ip any any
That means our configuration looks like this :
Assume interface fastethernet0/1 (right hand side of the picture) is connected to the server
Router(config)#interface fastethernet0/1
Router(config-if)#ip access-group 102 in
Router(config-if)#ip inspect FWRULE out
Router(config-if)#no shutdown
Router(config-if)#exit
CBAC will automatically add its command before any statically configured lines that we have typed in ,so the dynamic lines will always be at the top of the access-list.
for more clarification and sharing knowledge, this is what I have been advised :
What he means is this.
the host 10.0.0.3 creates a telnet session (port 23) to the server 172.30.1.50. This is allowed out through the router.
On the router interface that connects to the 172.30.1.50 network there is an access-list that looks like
access-list 102 deny ip any any
and this access-list is applied in an inbound direction.
This will stop all inbound connections from outside.
What happens when the inside host telnets out is that a line is dynamically added to access-list 102. So now your access-list looks like this
access-list 102 permit tcp host 172.30.1.50 eq 23 host 10.0.0.3 eq 2447
access-list 102 deny ip any any,,,,or any other number
When the telnet session is finished the dynamically added line will disappear and your access-list will be
access-list 102 deny ip any any
That means our configuration looks like this :
Assume interface fastethernet0/1 (right hand side of the picture) is connected to the server
Router(config)#interface fastethernet0/1
Router(config-if)#ip access-group 102 in
Router(config-if)#ip inspect FWRULE out
Router(config-if)#no shutdown
Router(config-if)#exit
CBAC will automatically add its command before any statically configured lines that we have typed in ,so the dynamic lines will always be at the top of the access-list.
17 years 7 months ago #21323
by Smurf
Wayne Murphy
Firewall.cx Team Member
www.firewall.cx
Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
Replied by Smurf on topic Re: CABC and creates a dynamic ACL - this scenario (curriculum)
Thats correct, however to secure things more you would generally have an access-list restricting the outgoing traffic. In this you would therefore need to then create the rule to allow the telnet traffic out in the first place. Then the CBAC will automatically generate the 102 access rule to allow the return traffic while the session is active.
Doesn't seem very secure if you do not restrict the outgoing traffic since it leaves your company open to abuse from inside the network. Remember, you are responsible for the link so if a massive DDoS attack happened that was sourced from within your network, you would be help responsible.
Thats why i generally create rules to restrict incoming traffic from the internet (that goes without saying) but also i restrict all outgoin traffic fall inline with our security policies.
Cheers
Doesn't seem very secure if you do not restrict the outgoing traffic since it leaves your company open to abuse from inside the network. Remember, you are responsible for the link so if a massive DDoS attack happened that was sourced from within your network, you would be help responsible.
Thats why i generally create rules to restrict incoming traffic from the internet (that goes without saying) but also i restrict all outgoin traffic fall inline with our security policies.
Cheers
Wayne Murphy
Firewall.cx Team Member
www.firewall.cx
Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
Time to create page: 0.141 seconds