Hi Amrih,

Long time no see. Thanks for your reply.

In my scenario, I want to allow restricted access for outside hosts to communicate with the servers. I'll be manually adding more "permit" statements in the "outboundfilters" ACL. These static extended access control entries (in the "outboundfilters" ACL) do not provide session filtering capability. Is this vulnerable to spoofing or DoS attacks? Probably it can be overcome by TCP Intercept or CBAC.

What's your thought?

Thank you.

B.Rgds,

Lim TS

Hi Lim,

CBAC is good as well, considering the following features:

1. Traffic Filtering:

- filters TCP and UDP packets based on application-layer protocol session information.

- permit specified TCP and UDP traffic through a firewall when the connection is initiated from inside protected network, or outside network.

2. Traffic Inspection

- discover and manage state information for TCP and UDP sessions which is used to create temporary openings in the firewall's access lists to allow return traffic and additional data connections for permissible sessions.

- Protect against DoS attack by checking/verifying sequence no (must be within the expected range) and discard unknown packets. Same goes to attack via fragmented IP.

3. Alerts and Audit Trails

- can send real-time alerts and audit trails to syslog server (or buffer log)

4. Intrusion Detection

- Embedded with 59 well-known IDS signatures. Similar to IDS features in PIX.

Limitations:

1. Only protect protocol you specify. The rest will depend on ACL you have in the router but not up to session layer.

2. No protection for attacks originating from internal network, unless if you have firewall (pix/asa/ios-firewall) protection.

3. Only protect certain type of well-known attacks only - based on 59 embedded IDS signatures

For spoofing protection, i.e spoof attack from outside/common user segment, maybe you should apply RFC2827 (prevent IP on protected segment from coming back into that segment from outside). Make sure your ACL has the 'establish' keyword as well. As recommended by Cisco, you should apply multiple layer of security protection both on your router and other devices connected to it.

Cheers!

Hi Amrih,

Thanks for the guideline.

For my simple scenario, I guess implementing reflexive access lists will suffice.

My scenario actually has two core routers. I will need to implement the same reflexive ACL on both core routers' server farm interfaces. Care must be taken to ensure symmetric routing, i.e. traffic from the server farm exiting one core router must return on the same router, because the dynamic opening is opened on that particular router.

In dynamic routing environment, most likely the distribution routers will load-balance across the two core routers into the server farm. Some manipulation of routes may need to be done at the expense of network scalability.

Personally, I'd still prefer to implement a firewall (be it PIX/ASA or FWSM if Cat6500) to do the job. But customer's budget always limits the choices.

What's your thoughts?

Thank you.

B.Rgds,

Lim TS

Hi Lim,

You're right on the symmetric routing as you need to ensure outbound/returned-traffic follow the same incoming path.

In this case, both reflexive ACL & CBAC can actually marked the connection/session and allow returned traffic to use the same link again. The only difference are the additional security features between them.

You would probably need to run a test to verify the most suitable method with your scenario.

Cheers!