I had a quick look for this and didn't find anything that looked like a
message...
Could you elaborate a bit further, please? I've never seen any packets not
get logged although I'm aware of an issue whereby the router logs the first
packet and then summarises any additional identical drops after five (or so)
minutes. Any limitations with the logging of deny statements on ACLs would
interest me greatly.
Cheers,
--
Ben Nagy
Network Consultant, Volante IT
PGP Key ID: 0x1A86E304 Mobile: +61 414 411 520
> -----Original Message-----
> From: Levin, Alexandre [mailto:[EMAIL PROTECTED]]
> Sent: Saturday, 17 June 2000 2:32 AM
> To: '[EMAIL PROTECTED]'
> Cc: 'Joe Dauncey'; David Leach
> Subject: RE: CISCO Firewall Feature Set
>
>
> There is one interesting problem in Cisco access-lists and logging:
> when you add log or log-input to access-list rules
> not all packets are written to log. so you can not really
> knows which packet
> was dropped .... :(
> and I don't know way how to log it .... :(
>
> If you interested - you can find discussion with
> Subject: ip accounting and syslog
> on deja.com
>
> but unfortunately with no answer .....
>
>
> > -----Original Message-----
> > From: Joe Dauncey [mailto:[EMAIL PROTECTED]]
> > Sent: Friday, June 16, 2000 9:29 AM
> > To: David Leach
> > Cc: <
> > Subject: Re: CISCO Firewall Feature Set
> >
> >
> > David,
> >
> > From the work I have done looking at it, the hub of the
> > Firewall Feature Set (Or CiscoSecure Integrated Software as
> > they now call it) is basically access control lists. The
> > access control lists are quite good, because they'll stop all
> > packets bang dead, but it is kind of scary that they seem to
> > be the hub of the 'feature'.
> >
> > The main problem we have seen from our concerns is that the
> > logging on the router is awful. You need to allocate
> > sufficient buffer space, and you could easily lose it.
> > However, if you have a local UNIX box you can bung all your
> > logging straight to it using syslog. It's not too bad when
> > you do that. You can log all denies on the access list, and
> > you can also log all CBAC connections. However, I
> > am not sure what you would need to do to log other traffic. I
> > guess set an access list up as a 'permit all log', or to some
> > lesser degree.
> >
> > One of the other main issues is the current limitations of
> > CBAC, which doesn't really handle a lot of protocols. The
> > application filtering is trivial in some cases. For example,
> > SMTP is hardcoded to allow EXPN and VRFY straight through as
> > permitted commands, even though they can lead to information
> > leaks. There is no way to change that. It is also limited to
> > UDP and TCP traffic, which means
> > that if you want to allow ICMP or anything else you have to
> > start poking holes in your access lists, which can be dodgy !
> > CBAC is supposed to check outgoing packets and then open a
> > hole in your access list to allow their responses back in. It
> > does this very well, and very responsively.
> >
> > There are also some anti-DoS measures, which are quite good.
> > They've got some fairly flexible rules to govern inbound SYN
> > connections and the like.
> >
> > To sum it up I have two main issues. As a router with a
> > firewall feature I think it is really good. As a firewall on
> > a router I am not so impressed. Too much is hardcoded with no
> > chance to see what is really going on. My second issue is
> > more to do with the people who support it. A few times now I
> > have seen router people trying to do firewall security with a
> > Cisco router, but without really a
> > clue. As the firewall world and the router world have always
> > been slightly different there are a lot of vital security
> > skills that have not yet permeated across to the router world
> > (the case is also vice versa, but not an issue here). The
> > router people tend to think that if they can do routers then
> > they can do firewalls, and so if they know IOS then they can
> > configure a secure IOS firewall. I
> > do both, and I deal with both, so I have seen it a lot, and I
> > have seen, time after time, router people get it wrong. That
> > is not to say that there aren't a lot of people who can sit
> > in the middle, but I would be very hesitant about asking a
> > load of router configurators to take over my firewalls !!
> >
> > Anyway, I hope this bit of personal opinion is of some use.
> > The IOS is really much better a firewall that I ever
> > expected, but I am still testing it and forming a final opinion.
> >
> > Cheers,
> > Joe
> >
> > (personal opinions, represent only myself, etc....)
> >
> > David Leach wrote:
> >
> > > Has anyone used the FFS or can give recommendations for or
> > against? A router engineer I'm trying to work with has
> > suggested replacing all the firewalls in a proposed design
> > with routers and Access control lists. I feel confident that
> > I have the information necessary to make the argument against
> > doing that. However, I don't want to be caught off guard by
> > somehting I don't know much about.
> > >
> > > Any help is greatly appreciated.
> > >
> > > Dave Leach, MCSE+ I
> > > Systems Security Engineer
> > > EWA, Information and Infrastructure Technologies
> > >
> > > -
> > > [To unsubscribe, send mail to [EMAIL PROTECTED] with
> > > "unsubscribe firewalls" in the body of the message.]
> >
> >
> > __________________________________________________
> > Do You Yahoo!?
> > Talk to your friends online with Yahoo! Messenger.
> > http://im.yahoo.com
> >
> > -
> > [To unsubscribe, send mail to [EMAIL PROTECTED] with
> > "unsubscribe firewalls" in the body of the message.]
> >
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
