I have been researching CBAC and ip inspect as a possibility for our 7204 border routers. I have a basic understanding of the inspection process now, but am wondering on how to implement it for our network. We do require inbound access from the internet for out customers. However, we are interested in the DOS prevention that CBAC offers. Is there a way to just use ip inspect to prevent DoS/well know hacker attempts while still leaving our inbound access in tact? Would I have to specifically define each customer that requires inbound access?
Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations Rhinorhino on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
CBAC question
- Thread starter AyrishGrl
- Start date
ROUTERKID1
IS-IT--Management
Neither Cisco's PIX Firewall, nor the Context-Based Access Control (CBAC) feature of Cisco's IOS Firewall Feature Set, protects hosts against certain denial of service attacks involving fragmented IP packets. This vulnerability does not permit network "breakins". The vulnerability is most severe in configurations involving static Network Address Translation (NAT) entries, or in configurations not involving any use of NAT.
The vulnerability is present in Cisco PIX Firewall software up to and including version 4.2(1), and in CBAC versions of Cisco IOS software through 11.2P and 11.3T, and will be present in initial 12.0 revisions of CBAC software.
The Cisco Centri Firewall does not share this vulnerability.
Stateless packet filtering products, such as the extended access lists available in non-CBAC versions of Cisco IOS software, share the vulnerability because of the inherent limitations of stateless operation. This it is not considered a defect in stateless filtering. More information is in the section on "Stateless Packet Filters" in this document.
This vulnerability will be fixed in Cisco PIX Firewall software version 4.2(2), which is tentatively scheduled for release on or after September 16, 1998. The vulnerability is scheduled to be fixed for CBAC in Cisco IOS software release 12.0(2) and 12.0(3)T, which are tentatively scheduled for release in late November 1998, and in late January 1999, respectively. All schedules are subject to change.
The possibility of IP fragmentation attacks against packet filters, from Cisco and other vendors, has been widely known for a very long time. However, exploitation does not seem to be increasing. Therefore, Cisco does not believe that the majority of its customers are critically exposed by this vulnerability. Cisco is, however, prepared to support any customers who suffer actual attacks, or who have specific reason to think that they are likely to be attacked in this way.
The vulnerability is present in Cisco PIX Firewall software up to and including version 4.2(1), and in CBAC versions of Cisco IOS software through 11.2P and 11.3T, and will be present in initial 12.0 revisions of CBAC software.
The Cisco Centri Firewall does not share this vulnerability.
Stateless packet filtering products, such as the extended access lists available in non-CBAC versions of Cisco IOS software, share the vulnerability because of the inherent limitations of stateless operation. This it is not considered a defect in stateless filtering. More information is in the section on "Stateless Packet Filters" in this document.
This vulnerability will be fixed in Cisco PIX Firewall software version 4.2(2), which is tentatively scheduled for release on or after September 16, 1998. The vulnerability is scheduled to be fixed for CBAC in Cisco IOS software release 12.0(2) and 12.0(3)T, which are tentatively scheduled for release in late November 1998, and in late January 1999, respectively. All schedules are subject to change.
The possibility of IP fragmentation attacks against packet filters, from Cisco and other vendors, has been widely known for a very long time. However, exploitation does not seem to be increasing. Therefore, Cisco does not believe that the majority of its customers are critically exposed by this vulnerability. Cisco is, however, prepared to support any customers who suffer actual attacks, or who have specific reason to think that they are likely to be attacked in this way.
- Thread starter
- #3
Those bugs appear to affect older IOS releases. We are running 12.2(19a) on our routers and v6.x on our PIX (I think).
Also, since it appears you have to purchase the FW capibilities to run CBAC, is there a way to tell from existing config if you already have that? I believe we do as there are ip inspect commands in the config, they are just not being used currently. Thanks.
Also, since it appears you have to purchase the FW capibilities to run CBAC, is there a way to tell from existing config if you already have that? I believe we do as there are ip inspect commands in the config, they are just not being used currently. Thanks.
ROUTERKID1
IS-IT--Management
yea do a show version on your router and take that to cisco web site.
- Status