|
Posted by bod43 on March 12, 2009, 10:44 pm
> I am a novice with Cisco routers, so please forgive me if this
> question is a bit odd. =A0I have a Cisco 871 router where the WAN
> interface is on the FastEthernet4 interface. =A0What are the primary
> differences between associating an ip inspect rule for outgoing
> packets on this interface versus having an access-list that allows
> "established" packets through the interface. =A0So, for example, I can
> have an ip inspect rule that states "ip inpsect DEFAULT100 out" and
> apply it to the FastEthernet4 interface via "ip inspect DEFAULT100
> out." =A0Or, I can simply have an ACL rule that states "access-list 100
> permit tcp any any established" and apply it to the FastEthernet4
> interface via "ip access-group 100 in." =A0These both seem to accomplish
> the same thing--namely allowing client-initiated traffic back through
> the WAN interface into the internal network. =A0What are the advantages/
> disadvantages to each approach. =A0I imagine the ip inspect rule takes
> more processing, but is more "diligent" about what types of packets it
> will allow through the interface into the internal network. =A0Again,
> this is just a guess and I will defer to more knowledgeable users.
> Any insight that someone can provide is appreciated. =A0I'm more
> interested out of curiosity than anything. =A0Thanks.
Inspect is likely to be the best choice. It's certainly
what I use.
Benifits of Inspect are it can (and does) examine upper
layer (>L3) protocols.
Limitations of established are:-
Does not work for UDP or other non TCP traffic
Does not work for active ftp and other upper layer
protocols (H.323?).
Potential attack with SYN + ACK packet
you depend on client IP stack to resist
Potential other attacks - packets with no session
you depend on client IP stack to resist
Beware - inspect http - turns on java blocking.
Probably not what you want.
Just to add confusion - you can also consider
reflexive access-lists.
This works like inspect in that it creates a list of allowed
inbound traffic dynamically but has no upper layer
examination.
| 
Yahoo! 
Google 
Windows Live 
del.icio.us 
digg 
Netscape 
XML site map
> question is a bit odd. =A0I have a Cisco 871 router where the WAN
> interface is on the FastEthernet4 interface. =A0What are the primary
> differences between associating an ip inspect rule for outgoing
> packets on this interface versus having an access-list that allows
> "established" packets through the interface. =A0So, for example, I can
> have an ip inspect rule that states "ip inpsect DEFAULT100 out" and
> apply it to the FastEthernet4 interface via "ip inspect DEFAULT100
> out." =A0Or, I can simply have an ACL rule that states "access-list 100
> permit tcp any any established" and apply it to the FastEthernet4
> interface via "ip access-group 100 in." =A0These both seem to accomplish
> the same thing--namely allowing client-initiated traffic back through
> the WAN interface into the internal network. =A0What are the advantages/
> disadvantages to each approach. =A0I imagine the ip inspect rule takes
> more processing, but is more "diligent" about what types of packets it
> will allow through the interface into the internal network. =A0Again,
> this is just a guess and I will defer to more knowledgeable users.
> Any insight that someone can provide is appreciated. =A0I'm more
> interested out of curiosity than anything. =A0Thanks.