CBAC VS REFLEXIVE ACL 2

[maczen]

Was wondering what the advantage is, if any, of CBAC (Context Based Access Control) over Reflexive ACLs? Also, have any of you guys had any opportunities to play with IOS-CS and AAA?



B Haines
CCNA R&S, ETA FOI

 

[Cluebird]

They are the same thing. CBAC is now called IOS firewall. Reflexive ACLs are used by IOS firewall.

 

[maczen]

I see.. Thanks again!

B Haines
CCNA R&S, ETA FOI

 

[burtsbees]

I use Progressive myself.

Burt

 

[maczen]

lol

B Haines
CCNA R&S, ETA FOI

 

[maczen]

I read something interesting and wanted to check with you guys...

A reflexive access list does NOT imply stateful packet inspection? And would this mean that if I set my ACL up something like this..

access-list 101 permit tcp 172.16.1.0 0.0.0.255 eq 22 any established

Then would anyone from the outside be able to get tcp traffic through by setting the source port to 22 and setting the ack bit?

B Haines
CCNA R&S, ETA FOI

 

[Cluebird]

Yup. Hackers can craft packets that have syn-ack bits and whatever other information they want in L3/L4 headers to get through packet filters. That is why stateful inspection is so important.

 

[maczen]

Thanks Clue.. It's funny. The CBTNuggets CCNA video said that this was a secure setup but made no reference to stateful packet inspection.. (Probably just trying to keep it on a CCNA level though)..

Question: On both sides of the scale.. Do you have any links that cover the hacker side of "crafting" these packets and/or the defensive side of protecting against... Just anything that stands out in your mind as a really good site/reference...

B Haines
CCNA R&S, ETA FOI

 

[burtsbees]

Look into the Ethical Hacker certs.

Burt

 

[maczen]

I should start a new thread here but i did look at that cert once. Seems that you need company endorsement (from the company you work for)??? You guys know anything about that?

B Haines
CCNA R&S, ETA FOI