I am looking into deploying cbac and wondered if there is a way of running it in monitor mode to get a good idea of "normal" traffic patterns. This would give us a good chance to write and verify key service acl entries before we change our acls over to default deny mode. It would also give us a good idea of where to place the low and high half-open session thresholds too which are likely to be higher than the default 400/500! I'm thinking maybe it's possible deploy the ip inspect command on our outbound interface but to have our acl in permit-any mode - and to build up acl entries for our key services - which when functioning will begin to show matches - and at the same time to log output from the permit-any line in the acl so that we can profile any other services that might be running through our router. Would log output from the IOS fw give us clues as to a suitable half-open session thresholds too ? I know it sends aggreessive / calming pairs of messages when the high threshold is crossed, should we be raising them so that it can be "tuned" to the correct level of half-open thresholds for our network ? Monitor mode is a key feature of other firewalls like checkpoint 1 and I wondered if this is a viable alternative method for the IOS Firewall ?
However, you can do something similar to what you suggested:
1) use the desired ip inspects, starting off with just the basics:
tcp, udp, ftp
2) create your acl, ensuring that you have entries for protocols/ports that don't get inspected (icmp, ah, esp, udp 500, etc) as well as any traffic initiated from the outside
3) make the last entry in your ACL permit ip any any log. Anything that you missed that normally is getting through your router will match the last entry, will be permitted, and will generate a syslog. Depending on your ios version, you may have to precede the permit ip any any log with a permit tcp any any log and permit udp any any log, in order to see the source and destination ports (doesn't show ports with a permit ip any any in all IOS versions).
4) for your global thresholds (host, one minute, and five minute), just set them really high (like 20000 or something like that), then periodically do a show ip inspect stat (hidden command) to se the number you normally have.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...