I'm using pair of Juniper SSG550 to form a site-to-site IPSEC tunnel.
both SSGs are behind Cisco 2801 routers,acting as a main ISP gateways for the Juniper boxes.
now, during recent penetration tests I found that both Cisco gear is vulnerable to even most primitive SYN flood type of attack.
[using hping3 --flood --syn --rand-source <target_IP> I was able to DoS the 2801 and fill up its session tables in few seconds].
in order to increase the level of protection I'm looking into implementing Cisco's CBAC/TCP Inspection features,
to be able to defeat DoS/DDoS type of attacks and guard the Cisco.
now, the question is the interop between Cisco's CBAC feature and Juniper's IPSEC/IKE/ESP type of traffic.
first,lets have this simple topology as an example of functional model:
SSG550's acct as VPN endpoints for IPSEC/IKE type of tunnel and both LANs can reach each other.
now, if I enable CBAC/TCP Intercept on Cisco_A:
when an intial IPSEC/IKE handshake request is sent from SSG_A to SSG_B, CBAC on Cisco_A should record this flow as valid outbound flow,
and should pass it thru,as there's no outbound ACL at all.
but what will happen with return/inbound traffic [IPSEC response/keys from SSG_B] ?
is CBAC clever enough to recognize the response from SSG_B even if there's no inbound ACL on the Cisco_A for IP of SSG_B?
will this one pass thru Cisco_A and form the tunnel?
or the CBAC on Cisco_A will drop the flow?
many thanks for ANY response/hint or tip.