There is one interesting problem in Cisco access-lists and logging:
when you add log or log-input to access-list rules
not all packets are written to log. so you can not really knows which packet
was dropped .... :(
and I don't know way how to log it .... :(
If you interested - you can find discussion with
Subject: ip accounting and syslog
on deja.com
but unfortunately with no answer .....
> -----Original Message-----
> From: Joe Dauncey [mailto:[EMAIL PROTECTED]]
> Sent: Friday, June 16, 2000 9:29 AM
> To: David Leach
> Cc: <
> Subject: Re: CISCO Firewall Feature Set
>
>
> David,
>
> From the work I have done looking at it, the hub of the
> Firewall Feature Set (Or CiscoSecure Integrated Software as
> they now call it) is basically access control lists. The
> access control lists are quite good, because they'll stop all
> packets bang dead, but it is kind of scary that they seem to
> be the hub of the 'feature'.
>
> The main problem we have seen from our concerns is that the
> logging on the router is awful. You need to allocate
> sufficient buffer space, and you could easily lose it.
> However, if you have a local UNIX box you can bung all your
> logging straight to it using syslog. It's not too bad when
> you do that. You can log all denies on the access list, and
> you can also log all CBAC connections. However, I
> am not sure what you would need to do to log other traffic. I
> guess set an access list up as a 'permit all log', or to some
> lesser degree.
>
> One of the other main issues is the current limitations of
> CBAC, which doesn't really handle a lot of protocols. The
> application filtering is trivial in some cases. For example,
> SMTP is hardcoded to allow EXPN and VRFY straight through as
> permitted commands, even though they can lead to information
> leaks. There is no way to change that. It is also limited to
> UDP and TCP traffic, which means
> that if you want to allow ICMP or anything else you have to
> start poking holes in your access lists, which can be dodgy !
> CBAC is supposed to check outgoing packets and then open a
> hole in your access list to allow their responses back in. It
> does this very well, and very responsively.
>
> There are also some anti-DoS measures, which are quite good.
> They've got some fairly flexible rules to govern inbound SYN
> connections and the like.
>
> To sum it up I have two main issues. As a router with a
> firewall feature I think it is really good. As a firewall on
> a router I am not so impressed. Too much is hardcoded with no
> chance to see what is really going on. My second issue is
> more to do with the people who support it. A few times now I
> have seen router people trying to do firewall security with a
> Cisco router, but without really a
> clue. As the firewall world and the router world have always
> been slightly different there are a lot of vital security
> skills that have not yet permeated across to the router world
> (the case is also vice versa, but not an issue here). The
> router people tend to think that if they can do routers then
> they can do firewalls, and so if they know IOS then they can
> configure a secure IOS firewall. I
> do both, and I deal with both, so I have seen it a lot, and I
> have seen, time after time, router people get it wrong. That
> is not to say that there aren't a lot of people who can sit
> in the middle, but I would be very hesitant about asking a
> load of router configurators to take over my firewalls !!
>
> Anyway, I hope this bit of personal opinion is of some use.
> The IOS is really much better a firewall that I ever
> expected, but I am still testing it and forming a final opinion.
>
> Cheers,
> Joe
>
> (personal opinions, represent only myself, etc....)
>
> David Leach wrote:
>
> > Has anyone used the FFS or can give recommendations for or
> against? A router engineer I'm trying to work with has
> suggested replacing all the firewalls in a proposed design
> with routers and Access control lists. I feel confident that
> I have the information necessary to make the argument against
> doing that. However, I don't want to be caught off guard by
> somehting I don't know much about.
> >
> > Any help is greatly appreciated.
> >
> > Dave Leach, MCSE+ I
> > Systems Security Engineer
> > EWA, Information and Infrastructure Technologies
> >
> > -
> > [To unsubscribe, send mail to [EMAIL PROTECTED] with
> > "unsubscribe firewalls" in the body of the message.]
>
>
> __________________________________________________
> Do You Yahoo!?
> Talk to your friends online with Yahoo! Messenger.
> http://im.yahoo.com
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
