05-29-2012 07:57 AM - edited 03-04-2019 04:30 PM
Hi all, is there a difference between using inspect statements for stateful packet inspection of each packet and an ACL with "established" keyword for TCP connections? For example if you look at the below two config examples, aren't they both serving the same purpose?
ip inspect name myinspect http
!
int gig0/0
ip add 1.1.1.1 255.255.255.0
ip inspect myinspect out
*******************
ip access-list extended internet
permit tcp any eq 80 any established
!
int gig0/0
ip add 1.1.1.1 255.255.255.0
ip access-group internet in
Solved! Go to Solution.
05-29-2012 08:28 AM
Ricky,
CBAC (inspection) creates a session table to keep track of what connections were allowed out/in depending on the direction of the inspect. The established keyword only checks to see if there is an ACK or RST flag set in the traffic coming in. In reality, you can get around the ACK and RST flags fairly easily from the outside even if you haven't had an established connection, so CBAC is much more secure. From strictly a working perspective, these would allow the same thing.
HTH,
John
05-29-2012 10:40 AM
Disclaimer
The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
Liability Disclaimer
In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
Posting
Another difference, besides what John already described, your TCP/80 established applies to any TCP traffic that matches your ACL, CBAC though is applied to HTTP. Although HTTP, by default uses port 80, it doesn't have to, nor are other protocols unable to use port 80. See the subtle difference?
Also, CBAC might also being doing actual HTTP protocol inspection, e.g. GET/PUT commands, the ACL doesn't. So even if HTTP is using port 80, CBAC can insure it's actually legitimate HTTP protocol.
So the two approaches are not really serving the same purpose, but depending on you security needs, in practice, TCP/80 established might be "good enough".
05-29-2012 08:28 AM
Ricky,
CBAC (inspection) creates a session table to keep track of what connections were allowed out/in depending on the direction of the inspect. The established keyword only checks to see if there is an ACK or RST flag set in the traffic coming in. In reality, you can get around the ACK and RST flags fairly easily from the outside even if you haven't had an established connection, so CBAC is much more secure. From strictly a working perspective, these would allow the same thing.
HTH,
John
05-29-2012 08:38 AM
Ah that makes sense. Thanks John for the detailed explanation and helpful advices as always .
05-29-2012 10:40 AM
Disclaimer
The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
Liability Disclaimer
In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
Posting
Another difference, besides what John already described, your TCP/80 established applies to any TCP traffic that matches your ACL, CBAC though is applied to HTTP. Although HTTP, by default uses port 80, it doesn't have to, nor are other protocols unable to use port 80. See the subtle difference?
Also, CBAC might also being doing actual HTTP protocol inspection, e.g. GET/PUT commands, the ACL doesn't. So even if HTTP is using port 80, CBAC can insure it's actually legitimate HTTP protocol.
So the two approaches are not really serving the same purpose, but depending on you security needs, in practice, TCP/80 established might be "good enough".
05-29-2012 10:46 AM
Thank you.
05-31-2012 04:49 AM
Disclaimer
The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
Liability Disclaimer
In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
Posting
You're welcome.
PS:
Forgot to mention another difference, CBAC should be stateful and TCP established is not. Stateful inspection makes it impossible to use more than one device for egress/ingress unless they share state information.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide