I'm working on a project were the customers current security policy permits most everything inbound from the Internet. This is due to dozens of autonomous entities that make up this customer set and the resulting difficulty of determining what should be blocked inbound from the Internet. If I apply IP inspection for TCP and UDP inbound on the firewall's external interface, understanding that the interface's inbound ACL permits Internet sourced traffic anyway, will CBAC's inspection capabilities have any beneficial security effect at all?
Hmmm, not really, unless you have an ACL that doesn't allow traffic outbound from the internal network TO the Internet (which is unlikely). As I'm sure you're aware the benefit of CBAC is to open holes in a fairly restrictive ACL to allow return traffic. If most of their traffic originates from the Internet, then CBAC is of limited use to you.
Thanks. What's confusing from the CBAC documentation are comments about traffic has to be permitted through the ACL first before CBAC will inspect it. This makes me wonder if CBAC packet inspection for malformed or suspicious packets occurs seperately from the creation of dynamic acl entries for temporary traffic permits. If CBAC just looks at the packet, matches it to the state table to see if it's going to create a dynamic acl permit entry, then I would agree on it's unapplicability with such a security policy. Can you clarify between CBAC's inspection and CBAC's creation of dynamic ACL entries?
Are you referring to the statement "Permit CBAC traffic to leave the network through the firewall."
If so, then I agree this is confusing. What they're really saying is permit traffic that you want to be inspected by CBAC to go through the router. This basically means "allow all outbound traffic from your internal network into the router", since unless you allow it through the router first, CBAC won't inspect it and open up a hole in your return ACL as that traffic leaves.
Further this statement "All access lists that evaluate traffic leaving the protected network should permit traffic that will be inspected by CBAC" makes it a little clearer. Again, this really just means you have an ACL allowing the traffic that you want to be inspected later on, to go through the router, otherwise CBAC will never see it and a hole will never be opened up.
My remaining question is whether CBAC is just ACL "hole" management. Given that CBAC ip inspect TCP and UDP are on; If a packet comes in from the Internet and an ACL entry of permit ip any any exists instead of a CBAC created ACL hole, under what conditions will CBAC drop this packet?
BenefitsDocumentationPrerequisiteImage Download LinksLimitationsSupported PlatformsLicense RequirementsTopologyStep-By-Step ConfigurationConfigure Virtual ServiceActivate the virtual service and configure guest IPsConfiguring UTD (Service Plane)Configurin...
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...