Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > IP INSPECT question

Reply
Thread Tools

IP INSPECT question

 
 
JF Mezei
Guest
Posts: n/a
 
      01-21-2010
I have tried to read up on the IP INSPECT capabilties in IOS.

I can see its usefulness for FTP since it has the smarts to "open new
ports" in the ACLs to allow FTP data transfers between two random ports.

I had been lead to belive that it had intrusion detection capabilities,
(such as blocking an IP for some time after X unsuccesful login
attempts. But I read nothing about it.

Can anyone confirm that it does not have the ability to detect
unsuccesful login attempts and then block that IP for a random amount of
time ?

And if the job falls on the server to detect the invalid login attempts,
would the server then tell the router to block a certain IP address ?
What is the best method to do this ? SNMP ? Or just have a telnet script
that goes in and adds an entry in an ACL ?
 
Reply With Quote
 
 
 
 
Igor Mamuzić aka Pseto
Guest
Posts: n/a
 
      01-21-2010
On 21.1.2010 12:28, JF Mezei wrote:
> I have tried to read up on the IP INSPECT capabilties in IOS.
>
> I can see its usefulness for FTP since it has the smarts to "open new
> ports" in the ACLs to allow FTP data transfers between two random ports.
>
> I had been lead to belive that it had intrusion detection capabilities,
> (such as blocking an IP for some time after X unsuccesful login
> attempts. But I read nothing about it.
>
> Can anyone confirm that it does not have the ability to detect
> unsuccesful login attempts and then block that IP for a random amount of
> time ?
>
> And if the job falls on the server to detect the invalid login attempts,
> would the server then tell the router to block a certain IP address ?
> What is the best method to do this ? SNMP ? Or just have a telnet script
> that goes in and adds an entry in an ACL ?
>

Cisco router's ip inspect (CBAC firewall feature) gives router
application firewall capabilities such as letting tcp:25 communication
only if it contains valid SMTP or ESMTP commands or detecting tunneling,
instant messaging, etc. trough port 80, etc etc. Cisco router can detect
unsuccessful authentication attempts to itself and block offending IP
address and also to provide authentication proxy services for remote
hosts. For example you can tell your router to require user to
authenticate them self (trough web browser or telnet) to the router
first and if authentication is successful the router will allow direct
communication with protected server from user's IP address. This can go
a little bit further so you may also authorize users. For example you
can put special downloadable access-lists on your RADIUS server and map
those access-lists to user group (also on RADIUS). Then router can check
if the user exists (authentication) and if exists what access-list to
apply for the group that user belongs. Router will swap source 'any'
keyword with user's host IP address in access-list automatically. Of
course this will not offer you single sign-on on user experience. For
something like this you should use true proxy servers such as Microsoft
ISA (TMG) or for example Blue Coat.

Regards,
Igor

 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
inspect.stack() or inspect.currentframe() gives "list index out ofrange error" deluxstar Python 5 09-25-2010 05:12 PM
question with inspect module Tool69 Python 3 02-21-2007 01:00 AM
question about introspection using inspect module Benjamin Rutt Python 4 07-08-2005 04:33 AM
ip inspect and access-list question didier Cisco 1 01-18-2004 01:02 AM
Re: will the pix ever inspect http inbound?? Russ Johnson Cisco 1 10-16-2003 03:41 PM



Advertisments