Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
401
Views
4
Helpful
2
Replies

IOS Firewall Feature sets & SDM

87305
Level 1
Level 1

‎02-27-2007 03:27 PM - edited ‎03-11-2019 02:39 AM

Hello Everyone,

I am trying to understand the Cisco IOS firewall feature sets in regards to SDM.

As I understand it, depending on the IOS, SDM will allow you to create any customized firewall using the Cisco IOS firewall feature sets.

However, when creating basic or advanced firewall policies using SDM, is it simply using standard and extended ACL?s for denied traffic and CBAC lists for the permitted traffic?

To my understanding CBAC lists examine the application layer (L7).

What I do not understand is what is being examined when CBAC lists are configured.

For example, if CBAC?s are configured and ip inspect ftp or ip inspect http was configured, what would the CBAC?s be examining for? Malformed packets? Open/Close sessions, etc. Also where is the signature list kept to determine what to examine, if there is such. Also what criteria are used to determine to drop the packets, etc?

Any information would be greatly appreciated.

Cheers,

Labels:
0 Helpful
2 Replies 2

dominic.caron
Level 5
Level 5

‎02-28-2007 04:50 AM

HTTP inspection is used to filter java applet or url

FTP inspection is used to inspect the control connection and dynamically allow data connection back in.

If you inspect generic TCP and UDP, this is used to allow returning traffic into your network. (TCP also examine sequence number)

The main use of cbac is to allow session originating for the inside of you network to come back in. Even if your outside ACL deny the traffic. There is no signature list, it's not a IPS.

You can usualy add IPS feature to your router but you'll have to pay for a subscription. The basic IOSFW signature are...basic.

87305
Level 1
Level 1
In response to dominic.caron

‎02-28-2007 06:38 AM

Thank you for the reply as it is most appreciated.

In regards to the firewall configuration with SDM, how are the firewall rules sets created? Are they simply standard and extended ACL?s, including CBAC's, or is there more.

Overall, will the SDM firewall features improve upon security compared to writing my own ACL?s?

What are the benefits if such?

Any feedback would be greatly appreciated.

Thank you in advance,

Cheers,

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card