RE: enable security features with Cisco IOS using CBAC
ip inspect name "inspectionname" http java-list access-list timeout
You need to build a standard access-list for the java access-list, it can
only be used with a standard ACL. This will allow the web page through but
block the java applet content. You can allow in the list sites you know are
clean or safe and deny all other java applets.
There is another way to block all java and the page containing the java, but
I do not have my reference in front of me or I would give you more detail.
Also, I do not beleive this will work on compressed java like .jar or zipped
java. You should search CCO for Java blocking CBAC for a more in depth
explanation.
-Original Message-
From: Dinesh_Kakkar [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, August 09, 2000 11:30 PM
To: 'Chris Larson'; [EMAIL PROTECTED]
Subject: RE: enable security features with Cisco IOS using CBAC
Hello Chris,
I would like to know how CBAC can be used to disable Java scripts. Can you
tell me I can have defense from such kind of vulnerabilities of Java
A Security Hole in Navigator 4.7 or earlier versions is found by West Coast
consultants.
A security hole discovered and delivered by a West Coast computer consultant
makes it possible to build a Web page that can turn a Netscape 4.7 or
earlier browser into a Web server, letting anyone browse and download files
on the system.
In tests of code downloaded from the Web site of Dan Brumleve, eWEEK Labs
was able to build a Web page that, when browsed using Communicator 4.7, gave
us access to defined directories on the system of the client browsing the
Web site. We simply accessed it through a browser by entering the IP address
of the client system. The exploit functions in much the same way as
file-sharing systems such as Napster.
The hole works by exploiting two Java classes (netscape.net.URLConnection
and netscape.net.URLinputStream) that are included in the Java
implementation used by Netscape browsers. By using a Java applet on the
site, the exploit is able to launch a local Java Web server within the
browser, which can then be accessed remotely. The server does not stop until
Netscape has been fully exited.
Who's vulnerable?
The exploit affects Netscape Communicator and Navigator Versions 4.7 and
earlier running on Windows systems and on Linux. Because it utilizes the
unique Java implementation in these browsers, the exploit doesn't affect
Internet Explorer or the Mozilla builds and the Netscape 6 pre-betas, which
use the standard Sun JVM. (See eWEEK Labs' review of Netscape 6 Preview
Release 2.)
To defend against this exploit, users can turn off Java within their
Netscape browser or use a browser that isn't affected by the problem.
Companies with good firewalls should also be fairly well protected.
Although Netscape has yet to release a fix for the bug, the fact that it
uses two seldom-used Java classes should make a fix fairly simple. In our
tests, we also found that Netscape browsers using a proxy server seemed to
be immune to the exploit.
Users should keep in mind that, like often-discussed (but rarely seen)
hostile Java applets, this exploit must be deployed on a Web site to work
and cannot be distributed like a virus in the way that the popular hacker
ware Back Orifice can. And while the closely named Back Orifice provides
full control over attacked systems, the new Brown Orifice provides access
only to files.
-Original Message-
From: Chris Larson [SMTP:[EMAIL PROTECTED]]
Sent: Wednesday, August 09, 2000 7:28 PM
To: 'Dinesh_Kakkar'; [EMAIL PROTECTED]
Subject: RE: enable security features with Cisco IOS using
CBAC
We use CBAC as a usefull first line of defense before the firewall.
Using
CBAC we can limit embryonic or half open connections, specifiy a
maximum
number of incomplete handshakes, set thresholds for certain types of
data,
limit java scripts and the level at which they operate, only allow
connections back through originating from the inside including udp
apps etc.
etc.
That is how we use it, mainly as a first line of defense and to
limit dos
attacks and attacks that rely on creating a large amount of
connections or
bombardment.
-Original Message-
From: Dinesh_Kakkar [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, August 09, 2000 1:06 AM
To: [EMAIL PROTECTED]
Subject: enable security features with Cisco IOS using CBAC
Importance: High
Hello friends
Context-Based Access Control (CBAC) feature is very useful in cisco
IOS, i
would like to implement the same in my network. Can any one put some
more
light on the implementation how it is being implemented by you & how
you did
that.
> I found that Context-Based Access Control (CBAC) feature in Cisco
IOS
> has v
RE: enable security features with Cisco IOS using CBAC
We use CBAC as a usefull first line of defense before the firewall. Using CBAC we can limit embryonic or half open connections, specifiy a maximum number of incomplete handshakes, set thresholds for certain types of data, limit java scripts and the level at which they operate, only allow connections back through originating from the inside including udp apps etc. etc. That is how we use it, mainly as a first line of defense and to limit dos attacks and attacks that rely on creating a large amount of connections or bombardment. -Original Message- From: Dinesh_Kakkar [mailto:[EMAIL PROTECTED]] Sent: Wednesday, August 09, 2000 1:06 AM To: [EMAIL PROTECTED] Subject: enable security features with Cisco IOS using CBAC Importance: High Hello friends Context-Based Access Control (CBAC) feature is very useful in cisco IOS, i would like to implement the same in my network. Can any one put some more light on the implementation how it is being implemented by you & how you did that. > I found that Context-Based Access Control (CBAC) feature in Cisco IOS > has variety of options for in providing security. > Here please find some more useful information about CBAC & reply if we can > use this feature for our network. > > Service Providers offering managed network services to customers can > enable security features in the Cisco IOSĀ® software-based access routers > that they install on their customers' premises. These capabilities help > protect end customers against Denial of Service (DoS) attacks, intruders, > and viruses. Service Providers, in effect, then, can layer a security > component on top of their managed network services to help keep customers' > internal information resources from being compromised - and their Web > servers from falling prey to DoS attacks, which render them unavailable to > users. > TECHNOLOGY BACKGROUND > One security feature in Cisco IOS software is Context-Based Access Control > (CBAC). CBAC, a component of the Cisco IOS Firewall feature set, filters > packets based on application-layer information, such as what kinds of > commands are being executed within the session. For example, if a command > that is not supported is discovered in a session, the packet can be denied > access. > The CBAC component of the Cisco IOS Firewall enhances security for TCP and > User Datagram Protocol (UDP) applications that use well-known ports, such > as port 80 for HTTP or port 443 for Secure Sockets Layer (SSL). It does > this by scrutinizing source and destination addresses. Without CBAC, > administrators can permit advanced application traffic only by writing > permanent access control lists (ACLs). This approach leaves firewall doors > open, so most administrators have tended to deny all such application > traffic. With CBAC enabled, however, they can securely permit multimedia > and other application traffic by opening the firewall as needed and > closing it all other times. > The Cisco IOS Firewall feature set can also be configured to block Java > applets from unknown or untrusted sources to protect against attacks in > the form of malicious commands or the introduction of viruses. A Java > executable file can steal passwords or otherwise wreak havoc with a > system. Filtering applets at the firewall centralizes the filtering > function for end customers. This eases administration, because it is no > longer necessary to disable Javascript on all Web browsers within an > organization to protect against Java attacks. > CONFIGURATION CONSIDERATIONS > The Cisco IOS Firewall features, including CBAC and Java filtering, are > available in version 11.2(11)P. However, additional protection and > protocol support is added continually, so customers are encouraged to > implement the latest version of the feature set. For example, security > features that are new in Cisco IOS Release 12.0(5)T include the following: > > * Dynamic intrusion detection > * LAN-based, dynamic, per-user authentication and authorization via > TACACS+ and RADIUS authentication servers. > * Ability to configure audit trails, alerts, and Java blocking on a > per-application basis. > > These and other Cisco IOS Firewall features are available on the Cisco > 800, 1600, 1700, 2500, 2600, 3600, 7100, 7200, RSM, and RSP7500 router > platforms. > BENEFITS SUMMARY > Cisco IOS Firewall filtering capabilities enable a Service Provider to > offer a managed network service with integrated security, which can be a > point of differentiation for the provider. Bundling the security features > into the customer's access router enables a Service Provider's customer to > turn an existing Cisco router into a firewall without having to purchase > additional devices. This is a convenient and cost-effective option for end > customers. > To learn more about Cisco IOS Firewall, CBAC, and Java blocking > capabilities, visit the following URLs: > http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/s
RE: enable security features with Cisco IOS using CBAC
Hello Chris,
I would like to know how CBAC can be used to disable Java scripts. Can you
tell me I can have defense from such kind of vulnerabilities of Java
A Security Hole in Navigator 4.7 or earlier versions is found by West Coast
consultants.
A security hole discovered and delivered by a West Coast computer consultant
makes it possible to build a Web page that can turn a Netscape 4.7 or
earlier browser into a Web server, letting anyone browse and download files
on the system.
In tests of code downloaded from the Web site of Dan Brumleve, eWEEK Labs
was able to build a Web page that, when browsed using Communicator 4.7, gave
us access to defined directories on the system of the client browsing the
Web site. We simply accessed it through a browser by entering the IP address
of the client system. The exploit functions in much the same way as
file-sharing systems such as Napster.
The hole works by exploiting two Java classes (netscape.net.URLConnection
and netscape.net.URLinputStream) that are included in the Java
implementation used by Netscape browsers. By using a Java applet on the
site, the exploit is able to launch a local Java Web server within the
browser, which can then be accessed remotely. The server does not stop until
Netscape has been fully exited.
Who's vulnerable?
The exploit affects Netscape Communicator and Navigator Versions 4.7 and
earlier running on Windows systems and on Linux. Because it utilizes the
unique Java implementation in these browsers, the exploit doesn't affect
Internet Explorer or the Mozilla builds and the Netscape 6 pre-betas, which
use the standard Sun JVM. (See eWEEK Labs' review of Netscape 6 Preview
Release 2.)
To defend against this exploit, users can turn off Java within their
Netscape browser or use a browser that isn't affected by the problem.
Companies with good firewalls should also be fairly well protected.
Although Netscape has yet to release a fix for the bug, the fact that it
uses two seldom-used Java classes should make a fix fairly simple. In our
tests, we also found that Netscape browsers using a proxy server seemed to
be immune to the exploit.
Users should keep in mind that, like often-discussed (but rarely seen)
hostile Java applets, this exploit must be deployed on a Web site to work
and cannot be distributed like a virus in the way that the popular hacker
ware Back Orifice can. And while the closely named Back Orifice provides
full control over attacked systems, the new Brown Orifice provides access
only to files.
-Original Message-
From: Chris Larson [SMTP:[EMAIL PROTECTED]]
Sent: Wednesday, August 09, 2000 7:28 PM
To: 'Dinesh_Kakkar'; [EMAIL PROTECTED]
Subject: RE: enable security features with Cisco IOS using
CBAC
We use CBAC as a usefull first line of defense before the firewall.
Using
CBAC we can limit embryonic or half open connections, specifiy a
maximum
number of incomplete handshakes, set thresholds for certain types of
data,
limit java scripts and the level at which they operate, only allow
connections back through originating from the inside including udp
apps etc.
etc.
That is how we use it, mainly as a first line of defense and to
limit dos
attacks and attacks that rely on creating a large amount of
connections or
bombardment.
-Original Message-
From: Dinesh_Kakkar [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, August 09, 2000 1:06 AM
To: [EMAIL PROTECTED]
Subject: enable security features with Cisco IOS using CBAC
Importance: High
Hello friends
Context-Based Access Control (CBAC) feature is very useful in cisco
IOS, i
would like to implement the same in my network. Can any one put some
more
light on the implementation how it is being implemented by you & how
you did
that.
> I found that Context-Based Access Control (CBAC) feature in Cisco
IOS
> has variety of options for in providing security.
> Here please find some more useful information about CBAC & reply
if we can
> use this feature for our network.
>
> Service Providers offering managed network services to customers
can
> enable security features in the Cisco IOSĀ® software-based access
routers
> that they install on their customers' premises. These
capabilities help
> protect end customers against Denial of Service (DoS) attacks,
intruders,
> and viruses. Service Providers, in effect, then, can layer a
security
> component on top of their managed network services to help keep
customers'
> internal information resources from being compromised - and their
Web
> servers from falling prey to DoS attacks, which render them
unavailable to
RE: enable security features with Cisco IOS using CBAC
Yes, Chuck the feature available is really exciting but the point is that
this feature is available from long time. I don't know why this feature
couldn't get popularity. That's why I want to know if some one has already
implemented this feature & is using.
Friends your comment on this will be really helpful for technology
enhencement. Bec'z I am comparing this feature with firewall like
CheckPoint.
Dinesh
-Original Message-
From: Chuck Larrieu [SMTP:[EMAIL PROTECTED]]
Sent: Wednesday, August 09, 2000 11:43 AM
To: [EMAIL PROTECTED]
Subject: RE: enable security features with Cisco IOS using
CBAC
Funny you should mention this.
CBAC is one of the components of the MCNS specialty and one of the
strong
features of the IOS security now. I've read a bit in the Held and
Hundley
book Cisco Access Lists Field Guide. Now that I have the means to do
so, I
have been contemplating how to demonstrate CBAC to interested
parties in a
way that can help al of us learn a little more. I'd like to be able
to
demonstrate something other than ping and traceroute tests. Maybe if
someone
has a telnet host we can use?
Telnet_Host-internet--My_Router/with CBAC---|
|Another_Router/telnet
into
it?and then telnet into the cbac router?
If the Cisco chat room is available, we can use that as a classroom
of
sorts.
Contact me off line to hash out some ideas for this.
Chuck
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On
Behalf Of
Dinesh_Kakkar
Sent: Tuesday, August 08, 2000 10:06 PM
To: [EMAIL PROTECTED]
Subject:enable security features with Cisco IOS using CBAC
Importance: High
Hello friends
Context-Based Access Control (CBAC) feature is very useful in cisco
IOS, i
would like to implement the same in my network. Can any one put some
more
light on the implementation how it is being implemented by you & how
you did
that.
> I found that Context-Based Access Control (CBAC) feature in Cisco
IOS
> has variety of options for in providing security.
> Here please find some more useful information about CBAC & reply
if we can
> use this feature for our network.
>
> Service Providers offering managed network services to customers
can
> enable security features in the Cisco IOS(r) software-based access
routers
> that they install on their customers' premises. These
capabilities help
> protect end customers against Denial of Service (DoS) attacks,
intruders,
> and viruses. Service Providers, in effect, then, can layer a
security
> component on top of their managed network services to help keep
customers'
> internal information resources from being compromised - and their
Web
> servers from falling prey to DoS attacks, which render them
unavailable to
> users.
> TECHNOLOGY BACKGROUND
> One security feature in Cisco IOS software is Context-Based Access
Control
> (CBAC). CBAC, a component of the Cisco IOS Firewall feature set,
filters
> packets based on application-layer information, such as what kinds
of
> commands are being executed within the session. For example, if a
command
> that is not supported is discovered in a session, the packet can
be denied
> access.
> The CBAC component of the Cisco IOS Firewall enhances security for
TCP and
> User Datagram Protocol (UDP) applications that use well-known
ports, such
> as port 80 for HTTP or port 443 for Secure Sockets Layer (SSL). It
does
> this by scrutinizing source and destination addresses. Without
CBAC,
> administrators can permit advanced application traffic only by
writing
> permanent access control lists (ACLs). This approach leaves
firewall doors
> open, so most administrators have tended to deny all such
application
> traffic. With CBAC enabled, however, they can securely permit
multimedia
> and other application traffic by opening the firewall as needed
and
> closing it all other times.
> The Cisco IOS Firewall feature set can also be configured to block
Java
> applets from unknown or untrusted sources to protect against
attacks in
> the form of malicious commands or the introduction of viruses. A
Java
> executable file can steal passwords or otherwise wreak havoc with
a
> system. Filtering applets at the firewall centralizes the
filtering
RE: enable security features with Cisco IOS using CBAC
Funny you should mention this. CBAC is one of the components of the MCNS specialty and one of the strong features of the IOS security now. I've read a bit in the Held and Hundley book Cisco Access Lists Field Guide. Now that I have the means to do so, I have been contemplating how to demonstrate CBAC to interested parties in a way that can help al of us learn a little more. I'd like to be able to demonstrate something other than ping and traceroute tests. Maybe if someone has a telnet host we can use? Telnet_Host-internet--My_Router/with CBAC---| |Another_Router/telnet into it?and then telnet into the cbac router? If the Cisco chat room is available, we can use that as a classroom of sorts. Contact me off line to hash out some ideas for this. Chuck -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Dinesh_Kakkar Sent: Tuesday, August 08, 2000 10:06 PM To: [EMAIL PROTECTED] Subject:enable security features with Cisco IOS using CBAC Importance: High Hello friends Context-Based Access Control (CBAC) feature is very useful in cisco IOS, i would like to implement the same in my network. Can any one put some more light on the implementation how it is being implemented by you & how you did that. > I found that Context-Based Access Control (CBAC) feature in Cisco IOS > has variety of options for in providing security. > Here please find some more useful information about CBAC & reply if we can > use this feature for our network. > > Service Providers offering managed network services to customers can > enable security features in the Cisco IOS(r) software-based access routers > that they install on their customers' premises. These capabilities help > protect end customers against Denial of Service (DoS) attacks, intruders, > and viruses. Service Providers, in effect, then, can layer a security > component on top of their managed network services to help keep customers' > internal information resources from being compromised - and their Web > servers from falling prey to DoS attacks, which render them unavailable to > users. > TECHNOLOGY BACKGROUND > One security feature in Cisco IOS software is Context-Based Access Control > (CBAC). CBAC, a component of the Cisco IOS Firewall feature set, filters > packets based on application-layer information, such as what kinds of > commands are being executed within the session. For example, if a command > that is not supported is discovered in a session, the packet can be denied > access. > The CBAC component of the Cisco IOS Firewall enhances security for TCP and > User Datagram Protocol (UDP) applications that use well-known ports, such > as port 80 for HTTP or port 443 for Secure Sockets Layer (SSL). It does > this by scrutinizing source and destination addresses. Without CBAC, > administrators can permit advanced application traffic only by writing > permanent access control lists (ACLs). This approach leaves firewall doors > open, so most administrators have tended to deny all such application > traffic. With CBAC enabled, however, they can securely permit multimedia > and other application traffic by opening the firewall as needed and > closing it all other times. > The Cisco IOS Firewall feature set can also be configured to block Java > applets from unknown or untrusted sources to protect against attacks in > the form of malicious commands or the introduction of viruses. A Java > executable file can steal passwords or otherwise wreak havoc with a > system. Filtering applets at the firewall centralizes the filtering > function for end customers. This eases administration, because it is no > longer necessary to disable Javascript on all Web browsers within an > organization to protect against Java attacks. > CONFIGURATION CONSIDERATIONS > The Cisco IOS Firewall features, including CBAC and Java filtering, are > available in version 11.2(11)P. However, additional protection and > protocol support is added continually, so customers are encouraged to > implement the latest version of the feature set. For example, security > features that are new in Cisco IOS Release 12.0(5)T include the following: > > * Dynamic intrusion detection > * LAN-based, dynamic, per-user authentication and authorization via > TACACS+ and RADIUS authentication servers. > * Ability to configure audit trails, alerts, and Java blocking on a > per-application basis. > > These and other Cisco IOS Firewall features are available on the Cisco > 800, 1600, 1700, 2500, 2600, 3600, 7100, 7200, RSM, and RSP7500 router > platforms. > BENEFITS SUMMARY > Cisco IOS Firewall filtering capabilities enable a Service Provider to > offer a managed network service with integrated security, which can be a > point of differentiation for the provider. Bundling the security features > into the customer's access router enables a Service Provider's customer to > turn an existing Cisco rou
