Showing posts with label Cisco Notes. Show all posts
Showing posts with label Cisco Notes. Show all posts

Tuesday, September 25, 2007

Authentication Proxy

What is authentication proxy?
It enables administrators to restrict access to resources on a per-user basis. It can be used to authenticate both inbound and outbound connections.

Only support HTTP, HTTPS, FTP or Telnet (Only on Standard port ?)


How Authentication Proxy Works?
  1. The source host initiates an HTTP connection that is intended to pass through the Cisco IOS Firewall to reach its destination.
  2. The Cisco IOS Firewall checks to see whether the source has already been authenticated. If the source has not previously authenticated, the firewall sends a login prompt to the user.
  3. The user completes the username and password, and the Cisco IOS Firewall verifies the user account information with the AAA server ( or local database).
  4. If the user provides the correct account information and is authenticated by the AAA server, the firewall allows the connection to complete.

Limitations of Authentication Proxy
  1. Triggers only on HTTP connections
  2. Only supports HTTP and HTTPS on standard ports (80 and 443) means router or remote server???
  3. Client browsers support JavaScript.
  4. Applies to traffic passing through the router, not destine to the router.
  5. Does not support concurrent usage. (if two users try to log in from the same host at the same time, authentication and authorization applies only to the user who first submits a valid username and password.)
  6. Support only one AAA servers, otherwiese load balancing using multiple AAA servers is not supported.
Posted by at No comments:
Labels:

Monday, September 24, 2007

Context-Based Access Control

Reference
Cisco IOS Firewall Feature Set Frequently Asked Questions

* CBAC can impact the efficiency of your router, you should used CBAC only when you need to.

* CBAC does not protect against attacks originating from within the protected network. CBAC only detects and protects against attacks that travel through the Cisco IOS Firewall.

CBAC Restrictions
CBAC is available only for IP traffic.
Only TCP, UDP and ICMP common type packets are inspected.
Other IP traffic, such as routing protocols, cannot be inspected with CBAC and should be filtered with basic ACLs instead.

We cannot use Inspect UDP, TCP for all protocol.
Basic
Define the inspection set:
ip inspect name myfw tcp
ip inspect name myfw udp
ip inspect name myfw icmp

Certain applications that use a secondary data channel, such as voice applications or streaming
media applications, may require that you configure the protocol-specific inspection for that particular service, such as “inspect ftp”, “inspect skinny”,
or “inspect h.323”.

CBAC with ACL
Traffic is Inspected after passing ACLs
Packets entering the Cisco Router are inspected by Cisco IOS Firewall CBAC only if they first pass the inbound ACL at the interfaces. If a packet is denied by the ACL, the packet is just dropped and not inspect by CBAC.

The different between CBAC and ACL
Unlike ACL, which are limited to the examination of packets at the network level, CBAC examines not only network layer and transport layer but also examines the application layer protocol information to learn about the state of the TCP or UDP session.

Half-open Sessions
A half-open sessions is a session open in only one direction. For TCP traffic, this might mean that the session did not complete the three-way handshake. For UDP traffic, this means that return traffic was not detected.
CBAC can measure the rate and the active number of half-open sessions serveral times per minute. If the number of sessions or the rate of the new connection attempts increases above the threshold, the software deletes the half-open sessions. This deletion process continues until the rate drops below the threshold.

ACL Bypass
Prior to this feature, a packet could go through as many as three redundant searches, one input ACL search, one output ACL search, and one inspection session search.
When return traffic finds a matching entry in the session table, it is shunted past the ACLs in the packet path.

Alerts and Audit Trails
Audit Trail features use syslog to track all network transaction recording time stamps, source host, destination host, ports used, and the total number of transmitted bytes for advanced, session-based reporting.
Real-time Alerts send syslog error messages to central management consoles upon detecting suspicious activity.


How CBAC Works
CBAC creates temporary openings in ACLs at Cisco IOS Firewall interfaces. These openings are created when specified traffic exits your internal network through the Cisco IOS Firewall. The openings allow returning traffic that would normally be blocked. The traffic is allowed back through the Cisco IOS Firewall only if it is part of the same session as the original traffic that triggered CBAC when exiting through the Cisco IOS Firewall.

CBAC with UDP
CBAC uses source/desitnation addresses and port numbers and whether the packet was detected soon after another similar UDP packet to determine whether the packet belongs to that particular session. "Soon" means within the configurable UDP idle timeout period.
Posted by at No comments:
Labels:
Subscribe to: Posts (Atom)