Re: Ip Tcp intercept and cbac

kjanakiraman · ‎09-30-2002

I read in the Cisco Security Architecture book which told me that tcp intercept aoption is vailable on router platforms from version 11.3. I have cisco 3640 with is 12.(x) Firewall feature set. But when i type in in ip tcp intercept in the global configuration i am getting unrecognised command? Is this command router specific?

Can i use cbac to act as application firewall for my webservers? If possible what are the steps that i need to do.

Thanks in Advance

thisisshanky · ‎09-30-2002

Does your IOS has the firewall feature set ??

Sankar Nair
UC Solutions Architect
Pacific Northwest | CDW
CCIE Collaboration #17135 Emeritus

kjanakiraman · ‎09-30-2002

Yes, I have IOS with firewall feature set.

thisisshanky · ‎09-30-2002

TCP intercept will help in preventing SYn flood attack (DOS attacks) for your servers running protocols, over TCP. It wont help if any server is running UDP.

Also check the naming convention for your ios for the 3600 with firewall feature set. A sample one would look like c3640-io3-mz.122-7c.bin

c3640 obviously means the ios is for a 3640.

io3 - ip subset, o3 stands for firewall with ssh support

Get back with the one that you have.

CBAC can be used as a App base FW.

For details about CBAC.

http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/120newft/120t/120t5/iosfw2/

This link helps a lot in understanding the Cisco IOS FW feature set. ALso it helps a lot in CCNP Security certifications.....

Sankar Nair
UC Solutions Architect
Pacific Northwest | CDW
CCIE Collaboration #17135 Emeritus

kjanakiraman · ‎09-30-2002

Thanks a lot for your information. The ios i have is c3640-ik8o3s-mz.122-7c.bin. I need to prevent syn floods on my webserver by making the router to intercept the connections from untrusted network. Is it possible with the ios version i have?

Thanks in Advance

thisisshanky · ‎09-30-2002

What options do you see after enter a

ip tcp ?

Do you see intercept option ???

Sankar Nair
UC Solutions Architect
Pacific Northwest | CDW
CCIE Collaboration #17135 Emeritus

kjanakiraman · ‎09-30-2002

In the global configuration when i type in ip tcp ? i am getting only the options that are below and no intercept option.

async-mobility

chunk-size

mss

path-mtu-discovery

queuemax

selective-ack

synwait-time

timestamp

window-size

Thanks

vcjones · ‎09-30-2002

According to the Cisco "software advisor" (nee "feature navigator") at

http://www.cisco.com/cgi-bin/Support/CompNav/Index.pl

you need an Enterprise Plus or Service Provider PT/TARP IOS image to get TCP Intercept on 3640 IOS 12.2(7c). IP Firewall images are not enough to get you what you need on a 3640. Note that you may need a CCO login to get to the software advisor page (I have not tried it without logging in).

Good luck!

Vincent C Jones

thisisshanky · ‎09-30-2002

The IOS image name would look like this when you have a enterprise version

c3640-jk8o3s-mz.12.2-7c

Note that you have

c3640-ik8o3s-mz.12.2-7c

J for enterprise.

Also Cisco recommend not using CBAC and TCP intercept together, as both uses the same software engine, which could yield to performance issues.

Also the enterprise version of the software requires 96 mb dram and 32 mb flash.

Sankar Nair
UC Solutions Architect
Pacific Northwest | CDW
CCIE Collaboration #17135 Emeritus

kjanakiraman · ‎10-01-2002

Thanks a lot for your information.