Yes, Chuck the feature available is really exciting but the point is that
this feature is available from long time. I don't know why this feature
couldn't get popularity. That's why I want to know if some one has already
implemented this feature & is using.
Friends your comment on this will be really helpful for technology
enhencement. Bec'z I am comparing this feature with firewall like
CheckPoint.
Dinesh
-----Original Message-----
From: Chuck Larrieu [SMTP:[EMAIL PROTECTED]]
Sent: Wednesday, August 09, 2000 11:43 AM
To: [EMAIL PROTECTED]
Subject: RE: enable security features with Cisco IOS using
CBAC
Funny you should mention this.
CBAC is one of the components of the MCNS specialty and one of the
strong
features of the IOS security now. I've read a bit in the Held and
Hundley
book Cisco Access Lists Field Guide. Now that I have the means to do
so, I
have been contemplating how to demonstrate CBAC to interested
parties in a
way that can help al of us learn a little more. I'd like to be able
to
demonstrate something other than ping and traceroute tests. Maybe if
someone
has a telnet host we can use?
Telnet_Host-----internet------My_Router/with CBAC---|
|------------Another_Router/telnet
into
it?and then telnet into the cbac router?
If the Cisco chat room is available, we can use that as a classroom
of
sorts.
Contact me off line to hash out some ideas for this.
Chuck
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On
Behalf Of
Dinesh_Kakkar
Sent: Tuesday, August 08, 2000 10:06 PM
To: [EMAIL PROTECTED]
Subject: enable security features with Cisco IOS using CBAC
Importance: High
Hello friends
Context-Based Access Control (CBAC) feature is very useful in cisco
IOS, i
would like to implement the same in my network. Can any one put some
more
light on the implementation how it is being implemented by you & how
you did
that.
> I found that Context-Based Access Control (CBAC) feature in Cisco
IOS
> has variety of options for in providing security.
> Here please find some more useful information about CBAC & reply
if we can
> use this feature for our network.
>
> Service Providers offering managed network services to customers
can
> enable security features in the Cisco IOS(r) software-based access
routers
> that they install on their customers' premises. These
capabilities help
> protect end customers against Denial of Service (DoS) attacks,
intruders,
> and viruses. Service Providers, in effect, then, can layer a
security
> component on top of their managed network services to help keep
customers'
> internal information resources from being compromised - and their
Web
> servers from falling prey to DoS attacks, which render them
unavailable to
> users.
> TECHNOLOGY BACKGROUND
> One security feature in Cisco IOS software is Context-Based Access
Control
> (CBAC). CBAC, a component of the Cisco IOS Firewall feature set,
filters
> packets based on application-layer information, such as what kinds
of
> commands are being executed within the session. For example, if a
command
> that is not supported is discovered in a session, the packet can
be denied
> access.
> The CBAC component of the Cisco IOS Firewall enhances security for
TCP and
> User Datagram Protocol (UDP) applications that use well-known
ports, such
> as port 80 for HTTP or port 443 for Secure Sockets Layer (SSL). It
does
> this by scrutinizing source and destination addresses. Without
CBAC,
> administrators can permit advanced application traffic only by
writing
> permanent access control lists (ACLs). This approach leaves
firewall doors
> open, so most administrators have tended to deny all such
application
> traffic. With CBAC enabled, however, they can securely permit
multimedia
> and other application traffic by opening the firewall as needed
and
> closing it all other times.
> The Cisco IOS Firewall feature set can also be configured to block
Java
> applets from unknown or untrusted sources to protect against
attacks in
> the form of malicious commands or the introduction of viruses. A
Java
> executable file can steal passwords or otherwise wreak havoc with
a
> system. Filtering applets at the firewall centralizes the
filtering
> function for end customers. This eases administration, because it
is no
> longer necessary to disable Javascript on all Web browsers within
an
> organization to protect against Java attacks.
> CONFIGURATION CONSIDERATIONS
> The Cisco IOS Firewall features, including CBAC and Java
filtering, are
> available in version 11.2(11)P. However, additional protection and
> protocol support is added continually, so customers are encouraged
to
> implement the latest version of the feature set. For example,
security
> features that are new in Cisco IOS Release 12.0(5)T include the
following:
>
> * Dynamic intrusion detection
> * LAN-based, dynamic, per-user authentication and
authorization via
> TACACS+ and RADIUS authentication servers.
> * Ability to configure audit trails, alerts, and Java blocking
on a
> per-application basis.
>
> These and other Cisco IOS Firewall features are available on the
Cisco
> 800, 1600, 1700, 2500, 2600, 3600, 7100, 7200, RSM, and RSP7500
router
> platforms.
> BENEFITS SUMMARY
> Cisco IOS Firewall filtering capabilities enable a Service
Provider to
> offer a managed network service with integrated security, which
can be a
> point of differentiation for the provider. Bundling the security
features
> into the customer's access router enables a Service Provider's
customer to
> turn an existing Cisco router into a firewall without having to
purchase
> additional devices. This is a convenient and cost-effective option
for end
> customers.
> To learn more about Cisco IOS Firewall, CBAC, and Java blocking
> capabilities, visit the following URLs:
>
http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/se
> cur_c/scprt3/scdcbac.htm
>
http://www.cisco.com/univercd/cc/td/doc/pcat/iofwfts1.htm#xtocid165423
>
> Regards
> Dinesh
___________________________________
UPDATED Posting Guidelines:
http://www.groupstudy.com/list/guide.html
FAQ, list archives, and subscription info: http://www.groupstudy.com
Report misconduct and Nondisclosure violations to
[EMAIL PROTECTED]
___________________________________
UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
FAQ, list archives, and subscription info: http://www.groupstudy.com
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]