Difference between revisions of "Netband Project - IOS firewall"
From Teknologisk videncenter
(→Configuration) |
(→Verificcation) |
||
Line 28: | Line 28: | ||
===Verificcation=== | ===Verificcation=== | ||
+ | |||
+ | <pre>B1rt1#sh ip inspect sessions | ||
+ | Half-open Sessions | ||
+ | Session 65E15880 (192.168.0.1:123)=>(10.255.255.13:123) udp SIS_OPENING | ||
+ | </pre> | ||
==Intrusion Detection Protection (IDS)== | ==Intrusion Detection Protection (IDS)== |
Revision as of 10:40, 27 April 2009
<accesscontrol>NetBand</accesscontrol> This page is part of the Netband Project
Contents
Context Based Access Control (CBAC)
- filters TCP and UDP packets based on application-layer protocol session information.
- more flexible than access control lists, that checks packets at the network layer, or at most, the transport layer
- inspects packet sequence numbers in TCP connections
- detects unusually high rates of new connections and issue alert messages.
- creates temporary openings in the return acl to allow traffic back in.
Configuration
ip inspect name iosfw ftp ip inspect name iosfw tcp ip inspect name iosfw udp ip inspect name iosfw http ip inspect name iosfw https ! interface FastEthernet0/0 description OUTSIDE ip inspect iosfw in ip access-group 101 in ! access-list 101 permit udp any eq isakmp any eq isakmp access-list 101 permit esp any any access-list 101 permit tcp any any eq 22 access-list 101 deny ip any any log
Verificcation
B1rt1#sh ip inspect sessions Half-open Sessions Session 65E15880 (192.168.0.1:123)=>(10.255.255.13:123) udp SIS_OPENING