10-24-2003 10:30 AM - edited 03-09-2019 05:16 AM
say a small company with a 2 interface 2600 router is hosting a www server and also requires access to a ssh server. Please set aside the ideal 3 interface DMZ setup for a moment and just go with me on this. truncated config follows:
ip inspect name MYeth0 tcp
... and all the rest of the inspect services
ip inspect name MYser0 tcp
ip inspect name MYser0 www
int eth 0
ip access-group 100 in
ip inspect MYeth0 in
int ser 0
ip access-group 101 in
ip inspect MYser0 in ### here is my question
access-list 100 permit ip any any
access-list 101 permit tcp any host x.x.x.x www
access-list 101 permit tcp any host x.x.x.x 22
access-list 101 deny ip any any
The "ip inspect MYser0 in" is NOT required to allow access to the two services - the acls are sufficient enough to give access to them. What benefits are there to adding this inspect rule on the outside interface for this circumstance? OR is it actually better not to have it performance wise.
Then more specifically, if it is still a good idea to inspect, would it really need to do a "ip inspect name MYser0 www" or can it simply do a "ip inspect name MYser0 tcp" since it might not need to do a www inspection on www packets that are coming from their own server?
10-24-2003 03:23 PM
Hi,
See my answers inline
The "ip inspect MYser0 in" is NOT required to allow access to the two services - the acls are sufficient enough to give access to them.
>> Correct it is not required
What benefits are there to adding this inspect rule on the outside interface for this circumstance? OR is it actually better not to have it performance wise.
>> Better not to have it, no additional benefits unless you are also having another "outbound" access-list on the ser0 or "inbound" access-list on eth0
Then more specifically, if it is still a good idea to inspect, would it really need to do a "ip inspect name MYser0 www" or can it simply do a "ip inspect name MYser0 tcp" since it might not need to do a www inspection on www packets that are coming from their own server?
>> not a good idea at all to do inspection on HTTP since it will slow down WWW traffic. Unless you want to block JAVA. TCP inspection is sufficient enough to do the job.
Thanks
Nadeem
10-26-2003 05:14 AM
One disagreement here:
Q - What benefits are there to adding this inspect rule on the outside interface for this circumstance? OR is it actually better not to have it performance wise.
A - IP inspect does provide some level of DOS (Denial of Service) protection by monitoring the number of half-open connections as well as total connections through the router and to each individual host. Adding the inspect tcp to the serial interface will help to provide some level of protection to your internal servers.
I agree with the rest though.
Scott
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide