Difference between revisions of "Netband Project - IOS firewall"
From Teknologisk videncenter
(→Configuration) |
(→Configuration) |
||
| Line 15: | Line 15: | ||
ip inspect name iosfw http | ip inspect name iosfw http | ||
ip inspect name iosfw https | ip inspect name iosfw https | ||
| − | + | ! | |
interface FastEthernet0/0 | interface FastEthernet0/0 | ||
| + | description OUTSIDE | ||
ip inspect iosfw in | ip inspect iosfw in | ||
| + | ip access-group 101 in | ||
| + | ! | ||
| + | access-list 101 permit udp any eq isakmp any eq isakmp | ||
| + | access-list 101 permit esp any any | ||
| + | access-list 101 permit tcp any any eq 22 | ||
| + | access-list 101 deny ip any any log | ||
</pre> | </pre> | ||
Revision as of 11:06, 27 April 2009
<accesscontrol>NetBand</accesscontrol> This page is part of the Netband Project
Contents
Context Based Access Control (CBAC)
- filters TCP and UDP packets based on application-layer protocol session information.
- more flexible than access control lists, that checks packets at the network layer, or at most, the transport layer
- inspects packet sequence numbers in TCP connections
- detects unusually high rates of new connections and issue alert messages.
- creates temporary openings in the return acl to allow traffic back in.
Configuration
ip inspect name iosfw ftp ip inspect name iosfw tcp ip inspect name iosfw udp ip inspect name iosfw http ip inspect name iosfw https ! interface FastEthernet0/0 description OUTSIDE ip inspect iosfw in ip access-group 101 in ! access-list 101 permit udp any eq isakmp any eq isakmp access-list 101 permit esp any any access-list 101 permit tcp any any eq 22 access-list 101 deny ip any any log