IP INSPECT question

Discussion in 'Cisco' started by JF Mezei, Jan 21, 2010.

  1. JF Mezei

    JF Mezei Guest

    I have tried to read up on the IP INSPECT capabilties in IOS.

    I can see its usefulness for FTP since it has the smarts to "open new
    ports" in the ACLs to allow FTP data transfers between two random ports.

    I had been lead to belive that it had intrusion detection capabilities,
    (such as blocking an IP for some time after X unsuccesful login
    attempts. But I read nothing about it.

    Can anyone confirm that it does not have the ability to detect
    unsuccesful login attempts and then block that IP for a random amount of
    time ?

    And if the job falls on the server to detect the invalid login attempts,
    would the server then tell the router to block a certain IP address ?
    What is the best method to do this ? SNMP ? Or just have a telnet script
    that goes in and adds an entry in an ACL ?
    JF Mezei, Jan 21, 2010
    #1
    1. Advertising

  2. On 21.1.2010 12:28, JF Mezei wrote:
    > I have tried to read up on the IP INSPECT capabilties in IOS.
    >
    > I can see its usefulness for FTP since it has the smarts to "open new
    > ports" in the ACLs to allow FTP data transfers between two random ports.
    >
    > I had been lead to belive that it had intrusion detection capabilities,
    > (such as blocking an IP for some time after X unsuccesful login
    > attempts. But I read nothing about it.
    >
    > Can anyone confirm that it does not have the ability to detect
    > unsuccesful login attempts and then block that IP for a random amount of
    > time ?
    >
    > And if the job falls on the server to detect the invalid login attempts,
    > would the server then tell the router to block a certain IP address ?
    > What is the best method to do this ? SNMP ? Or just have a telnet script
    > that goes in and adds an entry in an ACL ?
    >

    Cisco router's ip inspect (CBAC firewall feature) gives router
    application firewall capabilities such as letting tcp:25 communication
    only if it contains valid SMTP or ESMTP commands or detecting tunneling,
    instant messaging, etc. trough port 80, etc etc. Cisco router can detect
    unsuccessful authentication attempts to itself and block offending IP
    address and also to provide authentication proxy services for remote
    hosts. For example you can tell your router to require user to
    authenticate them self (trough web browser or telnet) to the router
    first and if authentication is successful the router will allow direct
    communication with protected server from user's IP address. This can go
    a little bit further so you may also authorize users. For example you
    can put special downloadable access-lists on your RADIUS server and map
    those access-lists to user group (also on RADIUS). Then router can check
    if the user exists (authentication) and if exists what access-list to
    apply for the group that user belongs. Router will swap source 'any'
    keyword with user's host IP address in access-list automatically. Of
    course this will not offer you single sign-on on user experience. For
    something like this you should use true proxy servers such as Microsoft
    ISA (TMG) or for example Blue Coat.

    Regards,
    Igor
    Igor Mamuzić aka Pseto, Jan 21, 2010
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Russ Johnson
    Replies:
    1
    Views:
    564
    Walter Roberson
    Oct 16, 2003
  2. Rik Bain
    Replies:
    3
    Views:
    1,725
    Andre Beck
    Nov 12, 2003
  3. didier
    Replies:
    1
    Views:
    9,189
    Didier
    Jan 18, 2004
  4. Didier
    Replies:
    0
    Views:
    1,054
    Didier
    Jan 27, 2004
  5. Jog Dial

    problems with inspect CBAC

    Jog Dial, Oct 14, 2004, in forum: Cisco
    Replies:
    2
    Views:
    701
    Jog Dial
    Oct 15, 2004
Loading...

Share This Page