Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
254
Views
0
Helpful
2
Replies

Should I inspect incoming requests from public side using IOS FW

dburd
Level 1
Level 1

‎10-24-2003 10:30 AM - edited ‎03-09-2019 05:16 AM

say a small company with a 2 interface 2600 router is hosting a www server and also requires access to a ssh server. Please set aside the ideal 3 interface DMZ setup for a moment and just go with me on this. truncated config follows:

ip inspect name MYeth0 tcp

... and all the rest of the inspect services

ip inspect name MYser0 tcp

ip inspect name MYser0 www

int eth 0

ip access-group 100 in

ip inspect MYeth0 in

int ser 0

ip access-group 101 in

ip inspect MYser0 in ### here is my question

access-list 100 permit ip any any

access-list 101 permit tcp any host x.x.x.x www

access-list 101 permit tcp any host x.x.x.x 22

access-list 101 deny ip any any

The "ip inspect MYser0 in" is NOT required to allow access to the two services - the acls are sufficient enough to give access to them. What benefits are there to adding this inspect rule on the outside interface for this circumstance? OR is it actually better not to have it performance wise.

Then more specifically, if it is still a good idea to inspect, would it really need to do a "ip inspect name MYser0 www" or can it simply do a "ip inspect name MYser0 tcp" since it might not need to do a www inspection on www packets that are coming from their own server?

Labels:
0 Helpful
2 Replies 2

nkhawaja
Cisco Employee
Cisco Employee

‎10-24-2003 03:23 PM

Hi,

See my answers inline

The "ip inspect MYser0 in" is NOT required to allow access to the two services - the acls are sufficient enough to give access to them.

>> Correct it is not required

What benefits are there to adding this inspect rule on the outside interface for this circumstance? OR is it actually better not to have it performance wise.

>> Better not to have it, no additional benefits unless you are also having another "outbound" access-list on the ser0 or "inbound" access-list on eth0

Then more specifically, if it is still a good idea to inspect, would it really need to do a "ip inspect name MYser0 www" or can it simply do a "ip inspect name MYser0 tcp" since it might not need to do a www inspection on www packets that are coming from their own server?

>> not a good idea at all to do inspection on HTTP since it will slow down WWW traffic. Unless you want to block JAVA. TCP inspection is sufficient enough to do the job.

Thanks

Nadeem

0 Helpful

scoclayton
Level 7
Level 7
In response to nkhawaja

‎10-26-2003 05:14 AM

One disagreement here:

Q - What benefits are there to adding this inspect rule on the outside interface for this circumstance? OR is it actually better not to have it performance wise.

A - IP inspect does provide some level of DOS (Denial of Service) protection by monitoring the number of half-open connections as well as total connections through the router and to each individual host. Adding the inspect tcp to the serial interface will help to provide some level of protection to your internal servers.

I agree with the rest though.

Scott

0 Helpful
Customers Also Viewed These Support Documents